Bruk oidc config fra azureator for å unngå proxy for å hente well kno…

…wn (#1048)

* Bruk oidc config fra azureator for å unngå proxy for å hente well known

* Mer sentralisert proxy-oppsett

felles/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/jwks/JwksKeyHandlerImpl.java

@@ -24,32 +24,26 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import no.nav.foreldrepenger.konfig.Environment;
 import no.nav.vedtak.exception.TekniskException;
 
 public class JwksKeyHandlerImpl implements JwksKeyHandler {
-    private static final Environment ENV = Environment.current();
-
-    public static final String PROXY_KEY = "proxy.url";
 
     private static final Logger LOG = LoggerFactory.getLogger(JwksKeyHandlerImpl.class);
-    private static final String DEFAULT_PROXY_URL = "http://webproxy.nais:8088";
-    private static final RequestConfig PROXY_CONFIG = createProxyConfig();
 
     private final Supplier<String> jwksStringSupplier;
     private final URL url;
 
     private JsonWebKeySet keyCache;
 
-    public JwksKeyHandlerImpl(URL url, boolean useProxyForJwks) {
-        this(() -> httpGet(url, useProxyForJwks), url);
+    public JwksKeyHandlerImpl(URL url, boolean useProxyForJwks, String proxy) {
+        this(() -> httpGet(url, useProxyForJwks, proxy), url);
     }
 
     public JwksKeyHandlerImpl(Supplier<String> jwksStringSupplier, String url) throws MalformedURLException {
         this(jwksStringSupplier, new URL(url));
     }
 
-    public JwksKeyHandlerImpl(Supplier<String> jwksStringSupplier, URL url) {
+    private JwksKeyHandlerImpl(Supplier<String> jwksStringSupplier, URL url) {
         this.jwksStringSupplier = jwksStringSupplier;
         this.url = url;
     }
@@ -99,20 +93,20 @@ private void refreshKeyCache() {
         }
     }
 
-    private static RequestConfig createProxyConfig() {
+    private static RequestConfig createProxyConfig(String proxy) {
         return RequestConfig.custom()
-                .setProxy(HttpHost.create(ENV.getProperty(PROXY_KEY, DEFAULT_PROXY_URL)))
+                .setProxy(HttpHost.create(proxy))
                 .build();
     }
 
-    private static String httpGet(URL url, boolean useProxyForJwks) {
+    private static String httpGet(URL url, boolean useProxyForJwks, String proxy) {
         if (url == null) {
             throw new TekniskException("F-836283", "Mangler konfigurasjon av jwks url");
         }
         HttpGet httpGet = new HttpGet(url.toExternalForm());
         httpGet.addHeader("accept", "application/json");
         if (useProxyForJwks) {
-            httpGet.setConfig(PROXY_CONFIG);
+            httpGet.setConfig(createProxyConfig(proxy));
         }
 
         try (CloseableHttpClient httpClient = HttpClients.createDefault()) {

felles/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/oidc/OidcProvider.java

@@ -9,18 +9,20 @@ public final class OidcProvider {
     private final URL jwks;
     private final URI tokenEndpoint;
     private final boolean useProxyForJwks;
+    private final String proxy;
     private final String clientName;
     private final int allowedClockSkewInSeconds;
     private final boolean skipAudienceValidation;
 
     public OidcProvider(OidcProviderType type,
                         URL issuer, URL jwks, URI tokenEndpoint,
-                        boolean useProxyForJwks, String clientName,
+                        boolean useProxyForJwks, String proxy, String clientName,
                         int allowedClockSkewInSeconds, boolean skipAudienceValidation) {
         this.type = type;
         this.issuer = issuer;
         this.jwks = jwks;
         this.useProxyForJwks = useProxyForJwks;
+        this.proxy = proxy;
         this.tokenEndpoint = tokenEndpoint;
         this.clientName = clientName;
         this.allowedClockSkewInSeconds = allowedClockSkewInSeconds;
@@ -47,6 +49,10 @@ public boolean isUseProxyForJwks() {
         return useProxyForJwks;
     }
 
+    public String getProxy() {
+        return proxy;
+    }
+
     public String getClientName() {
         return clientName;
     }

felles/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/oidc/OidcProviderConfig.java

@@ -8,11 +8,11 @@
 import java.net.URI;
 import java.net.URL;
 import java.util.HashSet;
+import java.util.Objects;
 import java.util.Optional;
 import java.util.Set;
 import java.util.stream.Collectors;
 
-import org.ietf.jgss.Oid;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -35,10 +35,14 @@ public final class OidcProviderConfig {
 
     private static final String AZURE_WELL_KNOWN_URL = "azure.app.well.known.url"; // naiserator
     private static final String AZURE_CLIENT_ID = "azure.app.client.id"; // naiserator
+    private static final String AZURE_HTTP_PROXY = "azure.http.proxy"; // settes ikke av naiserator
 
     private static final String TOKEN_X_WELL_KNOWN_URL = "token.x.well.known.url"; // naiserator
     private static final String TOKEN_X_CLIENT_ID = "token.x.client.id"; // naiserator
 
+    private static final String PROXY_KEY = "proxy.url"; // FP-oppsett lite brukt
+    private static final String DEFAULT_PROXY_URL = "http://webproxy.nais:8088";
+
     private static volatile OidcProviderConfig instance; // NOSONAR
     private static Set<OidcProvider> providers = new HashSet<>();
 
@@ -122,7 +126,7 @@ private static OidcProvider createOpenAmConfiguration(String wellKnownUrl) {
             getIssuerFra(wellKnownUrl).orElse(OpenAMHelper.getIssoIssuerUrl()),
             getJwksFra(wellKnownUrl).orElse(OpenAMHelper.getIssoJwksUrl()),
             getTokenEndpointFra(wellKnownUrl).orElse(null),
-            false,
+            false, null,
             OpenAMHelper.getIssoUserName(),
             true);
     }
@@ -134,18 +138,20 @@ private static OidcProvider createStsConfiguration(String wellKnownUrl) {
             getIssuerFra(wellKnownUrl).orElse(ENV.getProperty("oidc.sts.issuer.url")),
             getJwksFra(wellKnownUrl).orElse(ENV.getProperty("oidc.sts.jwks.url")),
             getTokenEndpointFra(wellKnownUrl).orElse(null),
-            false,
+            false, null,
             "Client name is not used for OIDC STS",
             true);
     }
 
-    private static OidcProvider createAzureAppConfiguration(final String wellKnownUrl) {
+    @SuppressWarnings("unused")
+    private static OidcProvider createAzureAppConfiguration(String wellKnownUrl) {
+        // Antar at satt via Azureator iht dokumentasjon - ellers må man bruke proxy for å hente well-known ....
         return createConfiguration(OidcProviderType.AZUREAD,
             "oidc_azure",
-            getIssuerFra(wellKnownUrl).orElseThrow(),
-            getJwksFra(wellKnownUrl).orElseThrow(),
-            getTokenEndpointFra(wellKnownUrl).orElse(null),
-            !ENV.isLocal(),
+            ENV.getRequiredProperty("azure.openid.config.issuer"),
+            ENV.getRequiredProperty("azure.openid.config.jwks.uri"),
+            URI.create(ENV.getRequiredProperty("azure.openid.config.token.endpoint")),
+            !ENV.isLocal(), ENV.getProperty(AZURE_HTTP_PROXY, getDefaultProxy()),
             ENV.getRequiredProperty(AZURE_CLIENT_ID),
             true);
     }
@@ -156,7 +162,7 @@ private static OidcProvider createLoginServiceConfiguration(String wellKnownUrl)
             getIssuerFra(wellKnownUrl).orElseThrow(),
             getJwksFra(wellKnownUrl).orElseThrow(),
             getTokenEndpointFra(wellKnownUrl).orElse(null),
-            !ENV.isLocal(),
+            !ENV.isLocal(), getDefaultProxy(),
             ENV.getRequiredProperty(LOGINSERVICE_CLIENT_ID),
             false);
     }
@@ -167,7 +173,7 @@ private static OidcProvider createTokenXConfiguration(String wellKnownUrl) {
             getIssuerFra(wellKnownUrl).orElseThrow(),
             getJwksFra(wellKnownUrl).orElseThrow(),
             getTokenEndpointFra(wellKnownUrl).orElse(null),
-            false,
+            false, null,
             ENV.getRequiredProperty(TOKEN_X_CLIENT_ID),
             false);
     }
@@ -178,19 +184,23 @@ private static OidcProvider createConfiguration(OidcProviderType type,
                                                     String jwks,
                                                     URI tokenEndpoint,
                                                     boolean useProxyForJwks,
+                                                    String proxy,
                                                     String clientName,
                                                     boolean skipAudienceValidation) {
-        return Optional.ofNullable(clientName)
-                .map(c -> new OidcProvider(
+        return new OidcProvider(
                         type,
                         url(issuer, "issuer", providerName),
                         url(jwks, "jwks", providerName),
                         tokenEndpoint,
                         useProxyForJwks,
-                        c,
+                        proxy,
+                        Objects.requireNonNull(clientName),
                     30,
-                        skipAudienceValidation))
-                .orElseThrow();
+                        skipAudienceValidation);
+    }
+
+    private static String getDefaultProxy() {
+        return ENV.getProperty(PROXY_KEY, DEFAULT_PROXY_URL);
     }
 
     private static URL url(String url, String key, String providerName) {

felles/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/oidc/OidcTokenValidator.java

@@ -29,8 +29,8 @@ public class OidcTokenValidator {
     private final boolean skipAudienceValidation;
 
     public OidcTokenValidator(OidcProvider config) {
-        this(config.getIssuer().toExternalForm(), new JwksKeyHandlerImpl(config.getJwks(), config.isUseProxyForJwks()), config.getClientName(),
-                config.getAllowedClockSkewInSeconds(), config.isSkipAudienceValidation());
+        this(config.getIssuer().toExternalForm(), new JwksKeyHandlerImpl(config.getJwks(), config.isUseProxyForJwks(), config.getProxy()),
+            config.getClientName(), config.getAllowedClockSkewInSeconds(), config.isSkipAudienceValidation());
     }
 
     // Skal bare brukes direkte fra tester, prod-kode skal kalle public constructors

integrasjon/rest-klient/src/main/java/no/nav/vedtak/felles/integrasjon/rest/tokenhenter/AzureAccessTokenKlient.java

@@ -24,7 +24,6 @@
 import no.nav.foreldrepenger.felles.integrasjon.rest.DefaultJsonMapper;
 import no.nav.foreldrepenger.konfig.Environment;
 import no.nav.vedtak.exception.TekniskException;
-import no.nav.vedtak.sikkerhet.oidc.OidcProvider;
 import no.nav.vedtak.sikkerhet.oidc.OidcProviderConfig;
 import no.nav.vedtak.sikkerhet.oidc.OidcProviderType;
 
@@ -49,11 +48,12 @@ public class AzureAccessTokenKlient {
     private Map<String, LocalTokenHolder> tokenHolderMap;
 
     public AzureAccessTokenKlient() {
+        var tokenProviderConfig = OidcProviderConfig.instance().getOidcProvider(OidcProviderType.AZUREAD).orElseThrow();
         tokenHolderMap = new LinkedHashMap<>();
-        tokenEndpoint = OidcProviderConfig.instance().getOidcProvider(OidcProviderType.AZUREAD).map(OidcProvider::getTokenEndpoint).orElseThrow();
+        tokenEndpoint = tokenProviderConfig.getTokenEndpoint();
+        azureProxy = tokenProviderConfig.getProxy();
         clientId = ENV.getProperty("azure.app.client.id", "foreldrepenger");
         clientSecret = ENV.getProperty("azure.app.client.secret", "foreldrepenger");
-        azureProxy = ENV.getProperty("azure.http.proxy","http://webproxy.nais:8088");
     }
 
     public synchronized String hentAccessToken(String scope) {