From 7163a5c3248ac4b9aee7f756c8c1a5d1916bbc5c Mon Sep 17 00:00:00 2001 From: Jens-Otto Larsen <46576810+jolarsen@users.noreply.github.com> Date: Mon, 5 Sep 2022 21:51:50 +0200 Subject: [PATCH] Fase 2 modernisering av abac-grensesnitt (#1173) --- .../sikkerhet/abac/LegacyTokenProvider.java | 5 - .../sikkerhet/abac/AbacAttributtSamling.java | 106 ------ .../sikkerhet/abac/AbacAuditlogger.java | 85 +---- .../vedtak/sikkerhet/abac/AbacIdToken.java | 63 ---- .../sikkerhet/abac/BeskyttetRessurs.java | 3 - .../abac/BeskyttetRessursActionAttributt.java | 17 - .../abac/BeskyttetRessursInterceptor.java | 71 +--- .../abac/NavAbacCommonAttributter.java | 25 -- .../nav/vedtak/sikkerhet/abac/PdpKlient.java | 7 - .../nav/vedtak/sikkerhet/abac/PdpRequest.java | 61 ---- .../sikkerhet/abac/PdpRequestBuilder.java | 10 +- .../no/nav/vedtak/sikkerhet/abac/Pep.java | 9 - .../no/nav/vedtak/sikkerhet/abac/PepImpl.java | 54 +-- .../sikkerhet/abac/Tilgangsbeslutning.java | 10 +- .../vedtak/sikkerhet/abac/TokenProvider.java | 8 - .../sikkerhet/abac/pdp/AppRessursData.java | 19 +- .../sikkerhet/abac/pipdata/AbacPipDto.java | 8 + .../abac/pipdata/PipAkt\303\270rId.java" | 78 ++++ .../PipBehandlingStatus.java} | 7 +- .../PipFagsakStatus.java} | 7 +- .../PipOverstyring.java} | 7 +- .../nav/vedtak/sikkerhet/pdp/PdpConsumer.java | 8 +- .../vedtak/sikkerhet/pdp/PdpConsumerImpl.java | 8 - .../vedtak/sikkerhet/pdp/PdpKlientImpl.java | 72 +--- .../pdp/XacmlRequestBuilderTjeneste.java | 17 - .../pdp/xacml/XacmlAttributeSet.java | 27 -- .../pdp/xacml/XacmlRequestBuilder.java | 67 ---- .../sikkerhet/abac/DummyRequestBuilder.java | 5 - .../vedtak/sikkerhet/abac/PdpRequestTest.java | 79 ---- .../vedtak/sikkerhet/abac/PepImplNyTest.java | 107 ------ .../vedtak/sikkerhet/abac/PepImplTest.java | 59 ++- .../vedtak/sikkerhet/abac/PipdataTest.java | 59 +++ .../sikkerhet/pdp/PdpKlientImplTest.java | 227 ++++++------ .../sikkerhet/pdp/PdpKlientNyImplTest.java | 337 ------------------ .../pdp/XacmlRequestBuilderTjenesteImpl.java | 112 ------ 35 files changed, 360 insertions(+), 1484 deletions(-) delete mode 100644 felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/AbacAttributtSamling.java delete mode 100644 felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/AbacIdToken.java delete mode 100644 felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/BeskyttetRessursActionAttributt.java delete mode 100644 felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/NavAbacCommonAttributter.java delete mode 100644 felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/PdpRequest.java create mode 100644 felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/pipdata/AbacPipDto.java create mode 100644 "felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/pipdata/PipAkt\303\270rId.java" rename felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/{pdp/BehandlingStatus.java => pipdata/PipBehandlingStatus.java} (68%) rename felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/{pdp/FagsakStatus.java => pipdata/PipFagsakStatus.java} (64%) rename felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/{pdp/Overstyring.java => pipdata/PipOverstyring.java} (60%) delete mode 100644 felles/abac/src/main/java/no/nav/vedtak/sikkerhet/pdp/XacmlRequestBuilderTjeneste.java delete mode 100644 felles/abac/src/main/java/no/nav/vedtak/sikkerhet/pdp/xacml/XacmlAttributeSet.java delete mode 100644 felles/abac/src/main/java/no/nav/vedtak/sikkerhet/pdp/xacml/XacmlRequestBuilder.java delete mode 100644 felles/abac/src/test/java/no/nav/vedtak/sikkerhet/abac/PdpRequestTest.java delete mode 100644 felles/abac/src/test/java/no/nav/vedtak/sikkerhet/abac/PepImplNyTest.java create mode 100644 felles/abac/src/test/java/no/nav/vedtak/sikkerhet/abac/PipdataTest.java delete mode 100644 felles/abac/src/test/java/no/nav/vedtak/sikkerhet/pdp/PdpKlientNyImplTest.java delete mode 100644 felles/abac/src/test/java/no/nav/vedtak/sikkerhet/pdp/XacmlRequestBuilderTjenesteImpl.java diff --git a/felles/abac-legacy/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/LegacyTokenProvider.java b/felles/abac-legacy/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/LegacyTokenProvider.java index d2987b13b..4ac0aaf5e 100644 --- a/felles/abac-legacy/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/LegacyTokenProvider.java +++ b/felles/abac-legacy/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/LegacyTokenProvider.java @@ -14,11 +14,6 @@ public String getUid() { return SubjectHandler.getSubjectHandler().getUid(); } - @Override - public String userToken() { - return SubjectHandler.getSubjectHandler().getInternSsoToken(); - } - @Override public OpenIDToken openIdToken() { return SubjectHandler.getSubjectHandler().getOpenIDToken(); diff --git a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/AbacAttributtSamling.java b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/AbacAttributtSamling.java deleted file mode 100644 index daa15b5cb..000000000 --- a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/AbacAttributtSamling.java +++ /dev/null @@ -1,106 +0,0 @@ -package no.nav.vedtak.sikkerhet.abac; - -import java.net.URI; -import java.util.Objects; -import java.util.Set; - -import com.nimbusds.jwt.SignedJWT; - -import no.nav.vedtak.sikkerhet.abac.AbacIdToken.TokenType; - -public class AbacAttributtSamling { - private final AbacIdToken idToken; - private final AbacDataAttributter dataAttributter = AbacDataAttributter.opprett(); - private BeskyttetRessursActionAttributt actionType; - private String resource; - private String action; - - private AbacAttributtSamling(AbacIdToken idToken) { - this.idToken = idToken; - } - - public static AbacAttributtSamling medJwtToken(String jwtToken) { - return medJwtToken(jwtToken, oidcTokenType(jwtToken)); - } - - public static AbacAttributtSamling medJwtToken(String jwtToken, TokenType type) { - Objects.requireNonNull(jwtToken); - return new AbacAttributtSamling(AbacIdToken.withToken(jwtToken, type)); - } - - public static AbacAttributtSamling medSamlToken(String samlToken) { - Objects.requireNonNull(samlToken); - return new AbacAttributtSamling(AbacIdToken.withToken(samlToken, TokenType.SAML)); - } - - public AbacAttributtSamling leggTil(AbacDataAttributter dataAttributter) { - this.dataAttributter.leggTil(dataAttributter); - return this; - } - - public Set getVerdier(AbacAttributtType type) { - return dataAttributter.getVerdier(type); - } - - public Set keySet() { - return dataAttributter.keySet(); - } - - public AbacIdToken getIdToken() { - return idToken; - } - - public AbacAttributtSamling setActionType(BeskyttetRessursActionAttributt actionType) { - this.actionType = actionType; - return this; - } - - public BeskyttetRessursActionAttributt getActionType() { - return actionType; - } - - public AbacAttributtSamling setResource(String resource) { - this.resource = resource; - return this; - } - - public String getResource() { - return resource; - } - - public int getTotalAntallAttributter() { - return dataAttributter.keySet().stream().mapToInt(k -> dataAttributter.getVerdier(k).size()).sum(); - } - - public int kryssProduktAntallAttributter() { - return dataAttributter.keySet().stream() - .mapToInt(k -> dataAttributter.getVerdier(k).size()) - .filter(s -> s > 0) - .reduce(1, (a, b) -> a * b); - } - - public AbacAttributtSamling setAction(String action) { - this.action = action; - return this; - } - - public String getAction() { - return action; - } - - private static TokenType oidcTokenType(String token) { - try { - return URI.create(SignedJWT.parse(token) - .getJWTClaimsSet().getIssuer()).getHost().contains("tokendings") ? TokenType.TOKENX : TokenType.OIDC; - - } catch (Exception e) { - throw new IllegalArgumentException("Ukjent token type"); - } - } - - @Override - public String toString() { - return getClass().getSimpleName() + " [idToken=" + idToken + ", dataAttributter=" + dataAttributter + ", actionType=" + actionType - + ", resource=" + resource + ", action=" + action + "]"; - } -} diff --git a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/AbacAuditlogger.java b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/AbacAuditlogger.java index 3c2f426db..6aef0d2f5 100644 --- a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/AbacAuditlogger.java +++ b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/AbacAuditlogger.java @@ -12,8 +12,6 @@ import static no.nav.vedtak.log.audit.EventClassId.AUDIT_ACCESS; import static no.nav.vedtak.log.audit.EventClassId.AUDIT_CREATE; import static no.nav.vedtak.log.audit.EventClassId.AUDIT_UPDATE; -import static no.nav.vedtak.sikkerhet.abac.NavAbacCommonAttributter.RESOURCE_FELLES_PERSON_AKTOERID_RESOURCE; -import static no.nav.vedtak.sikkerhet.abac.NavAbacCommonAttributter.RESOURCE_FELLES_PERSON_FNR; import static no.nav.vedtak.sikkerhet.abac.StandardAbacAttributtType.BEHANDLING_ID; import static no.nav.vedtak.sikkerhet.abac.StandardAbacAttributtType.BEHANDLING_UUID; import static no.nav.vedtak.sikkerhet.abac.StandardAbacAttributtType.FAGSAK_ID; @@ -52,33 +50,16 @@ public AbacAuditlogger(Auditlogger auditlogger) { this.auditlogger = auditlogger; } - public void loggTilgang(String userId, Tilgangsbeslutning tilgangsbeslutning, AbacAttributtSamling attributter) { - logg(userId, tilgangsbeslutning, attributter, Access.GRANTED); + public void loggTilgang(String userId, Tilgangsbeslutning tilgangsbeslutning) { + logg(userId, tilgangsbeslutning, Access.GRANTED); } - public void loggDeny(String userId, Tilgangsbeslutning tilgangsbeslutning, AbacAttributtSamling attributter) { - logg(userId, tilgangsbeslutning, attributter, Access.DENIED); + public void loggDeny(String userId, Tilgangsbeslutning tilgangsbeslutning) { + logg(userId, tilgangsbeslutning, Access.DENIED); } - private void logg(String userId, Tilgangsbeslutning tilgangsbeslutning, AbacAttributtSamling attributter, Access access) { - if (tilgangsbeslutning.pdpRequest() != null) { - logg(userId, tilgangsbeslutning.pdpRequest(), attributter, access); - } else { - logg(userId, tilgangsbeslutning.beskyttetRessursAttributter(), tilgangsbeslutning.appRessursData(), access); - } - } - - private void logg(String userId, PdpRequest pdpRequest, AbacAttributtSamling attributter, Access access) { - requireNonNull(pdpRequest); - - String abacAction = requireNonNull(pdpRequest.getString(NavAbacCommonAttributter.XACML10_ACTION_ACTION_ID)); - var header = createHeader(abacAction, access); - var fields = createDefaultAbacFields(userId, pdpRequest, attributter); - - List ids = getBerortBrukerId(pdpRequest); - for (String aktorId : ids) { - loggTilgangPerBerortAktoer(header, fields, aktorId); - } + private void logg(String userId, Tilgangsbeslutning tilgangsbeslutning, Access access) { + logg(userId, tilgangsbeslutning.beskyttetRessursAttributter(), tilgangsbeslutning.appRessursData(), access); } private void logg(String userId, BeskyttetRessursAttributter beskyttetRessursAttributter, AppRessursData appRessursData, Access access) { @@ -112,31 +93,6 @@ private AuditdataHeader createHeader(String abacAction, Access access) { .build(); } - private Set createDefaultAbacFields(String userId, PdpRequest pdpRequest, AbacAttributtSamling attributter) { - String abacAction = requireNonNull(pdpRequest.getString(NavAbacCommonAttributter.XACML10_ACTION_ACTION_ID)); - String abacResourceType = requireNonNull(pdpRequest.getString(NavAbacCommonAttributter.RESOURCE_FELLES_RESOURCE_TYPE)); - - Set fields = new HashSet<>(); - fields.add(new CefField(EVENT_TIME, System.currentTimeMillis())); - fields.add(new CefField(REQUEST, attributter.getAction())); - fields.add(new CefField(ABAC_RESOURCE_TYPE, abacResourceType)); - fields.add(new CefField(ABAC_ACTION, abacAction)); - - if (userId != null) { - fields.add(new CefField(USER_ID, userId)); - } - - getOneOf(attributter, SAKSNUMMER, FAGSAK_ID).ifPresent(fagsak -> { - fields.addAll(forSaksnummer(fagsak)); - }); - - getOneOf(attributter, BEHANDLING_UUID, BEHANDLING_ID).ifPresent(behandling -> { - fields.addAll(forBehandling(behandling)); - }); - - return Set.copyOf(fields); - } - private Set createDefaultAbacFields(String userId, BeskyttetRessursAttributter beskyttetRessursAttributter) { String abacAction = requireNonNull(beskyttetRessursAttributter.getActionType().getEksternKode()); String abacResourceType = requireNonNull(beskyttetRessursAttributter.getResourceType()); @@ -162,19 +118,6 @@ private Set createDefaultAbacFields(String userId, BeskyttetRessursAtt return Set.copyOf(fields); } - private List getBerortBrukerId(PdpRequest pdpRequest) { - /* - * Arcsight foretrekker FNR fremfor AktørID, men det er uklart hvordan de - * håndterer blanding (har sendt forespørsel, men ikke fått svar). Velger derfor - * at AktørID prioriteres (siden alle kallene i k9-sak har denne). - */ - final List ids = allNonNullValues(pdpRequest, RESOURCE_FELLES_PERSON_AKTOERID_RESOURCE); - if (!ids.isEmpty()) { - return ids; - } - return allNonNullValues(pdpRequest, RESOURCE_FELLES_PERSON_FNR); - } - private List getBerortBrukerId(AppRessursData appRessursData) { /* * Arcsight foretrekker FNR fremfor AktørID, men det er uklart hvordan de @@ -188,16 +131,6 @@ private List getBerortBrukerId(AppRessursData appRessursData) { return appRessursData.getFødselsnumre().stream().filter(Objects::nonNull).collect(Collectors.toList()); } - private static final Optional getOneOf(AbacAttributtSamling attributter, AbacAttributtType... typer) { - for (AbacAttributtType key : typer) { - final Set values = attributter.getVerdier(key); - if (!values.isEmpty()) { - return Optional.of(values.stream().map(v -> v.toString()).collect(Collectors.joining(","))); - } - } - return Optional.empty(); - } - private static final Optional getOneOfNew(AbacDataAttributter attributter, AbacAttributtType... typer) { for (AbacAttributtType key : typer) { final Set values = attributter.getVerdier(key); @@ -217,12 +150,6 @@ private static final EventClassId finnEventClassIdFra(String abacAction) { }; } - private static final List allNonNullValues(PdpRequest pdpRequest, String key) { - return pdpRequest.getListOfString(key).stream() - .filter(Objects::nonNull) - .collect(Collectors.toList()); - } - /** * Standard hos NAV er at tilgang logges som "INFO" og avslag som "WARN". Merk * at dette avviker fra CEF-standarden. diff --git a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/AbacIdToken.java b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/AbacIdToken.java deleted file mode 100644 index 64b707ced..000000000 --- a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/AbacIdToken.java +++ /dev/null @@ -1,63 +0,0 @@ -package no.nav.vedtak.sikkerhet.abac; - -public class AbacIdToken { - - public enum TokenType { - OIDC, - TOKENX, - SAML; - } - - private final String token; - private final TokenType tokenType; - - private AbacIdToken(String token, TokenType tokenType) { - this.token = token; - this.tokenType = tokenType; - } - - @Deprecated - public static AbacIdToken withOidcToken(String token) { - return withToken(token, TokenType.OIDC); - } - - public static AbacIdToken withToken(String token, TokenType type) { - return new AbacIdToken(token, type); - } - - @Deprecated - public static AbacIdToken withSamlToken(String token) { - return withToken(token, TokenType.SAML); - } - - public TokenType getTokenType() { - return tokenType; - } - - private String token() { - return TokenType.SAML.equals(tokenType) ? "samlToken='MASKERT'" : "jwtToken='" + maskerOidcToken(token) + '\''; - } - - @Deprecated - public boolean erOidcToken() { - return TokenType.OIDC.equals(tokenType); - } - - @Deprecated - public boolean erSamlToken() { - return TokenType.SAML.equals(tokenType); - } - - public String getToken() { - return token; - } - - private static String maskerOidcToken(String token) { - return token.substring(0, token.lastIndexOf('.')) + ".MASKERT"; - } - - @Override - public String toString() { - return getClass().getSimpleName() + " [token=" + token() + ", tokenType=" + tokenType + "]"; - } -} diff --git a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/BeskyttetRessurs.java b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/BeskyttetRessurs.java index 4e3aa721b..c9165ef83 100644 --- a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/BeskyttetRessurs.java +++ b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/BeskyttetRessurs.java @@ -20,9 +20,6 @@ @Target({ ElementType.TYPE, ElementType.METHOD }) @NameBinding public @interface BeskyttetRessurs { - @Nonbinding - BeskyttetRessursActionAttributt action() default BeskyttetRessursActionAttributt.DUMMY; - @Nonbinding ActionType actionType() default ActionType.DUMMY; diff --git a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/BeskyttetRessursActionAttributt.java b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/BeskyttetRessursActionAttributt.java deleted file mode 100644 index ebf0805e3..000000000 --- a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/BeskyttetRessursActionAttributt.java +++ /dev/null @@ -1,17 +0,0 @@ -package no.nav.vedtak.sikkerhet.abac; - -public enum BeskyttetRessursActionAttributt { - READ, - UPDATE, - CREATE, - DELETE, - - /** - * Skal kun brukes av Interceptor - */ - DUMMY; - - public String getEksternKode() { - return this != DUMMY ? name().toLowerCase() : null; - } -} diff --git a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/BeskyttetRessursInterceptor.java b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/BeskyttetRessursInterceptor.java index d0997164b..37136f26e 100644 --- a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/BeskyttetRessursInterceptor.java +++ b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/BeskyttetRessursInterceptor.java @@ -10,7 +10,6 @@ import javax.interceptor.AroundInvoke; import javax.interceptor.Interceptor; import javax.interceptor.InvocationContext; -import javax.jws.WebService; import org.jboss.weld.interceptor.util.proxy.TargetInstanceProxy; @@ -22,7 +21,7 @@ import no.nav.vedtak.sikkerhet.abac.internal.ActionUthenter; import no.nav.vedtak.sikkerhet.abac.internal.BeskyttetRessursAttributter; -@BeskyttetRessurs(action = BeskyttetRessursActionAttributt.DUMMY, resource = "") +@BeskyttetRessurs(actionType = ActionType.DUMMY, resource = "") @Interceptor @Priority(Interceptor.Priority.APPLICATION + 11) @Dependent @@ -42,30 +41,28 @@ public BeskyttetRessursInterceptor(Pep pep, AbacAuditlogger abacAuditlogger, Tok @AroundInvoke public Object wrapTransaction(final InvocationContext invocationContext) throws Exception { - var attributter = hentAttributter(invocationContext); var dataAttributter = finnAbacDataAttributter(invocationContext); - attributter.leggTil(dataAttributter); var beskyttetRessursAttributter = hentBeskyttetRessursAttributter(invocationContext, dataAttributter); - var beslutning = pep.nyttAbacGrensesnitt() ? pep.vurderTilgang(beskyttetRessursAttributter) : pep.vurderTilgang(attributter); + var beslutning = pep.vurderTilgang(beskyttetRessursAttributter); if (beslutning.fikkTilgang()) { - return proceed(invocationContext, attributter, beslutning); + return proceed(invocationContext, beslutning); } - return ikkeTilgang(attributter, beslutning); + return ikkeTilgang(beslutning); } - private Object proceed(InvocationContext invocationContext, AbacAttributtSamling attributter, Tilgangsbeslutning beslutning) throws Exception { + private Object proceed(InvocationContext invocationContext, Tilgangsbeslutning beslutning) throws Exception { Method method = invocationContext.getMethod(); boolean sporingslogges = method.getAnnotation(BeskyttetRessurs.class).sporingslogg(); if (sporingslogges) { Object resultat = invocationContext.proceed(); - abacAuditlogger.loggTilgang(tokenProvider.getUid(), beslutning, attributter); + abacAuditlogger.loggTilgang(tokenProvider.getUid(), beslutning); return resultat; } return invocationContext.proceed(); } - private Object ikkeTilgang(AbacAttributtSamling attributter, Tilgangsbeslutning beslutning) { - abacAuditlogger.loggDeny(tokenProvider.getUid(), beslutning, attributter); + private Object ikkeTilgang(Tilgangsbeslutning beslutning) { + abacAuditlogger.loggDeny(tokenProvider.getUid(), beslutning); switch (beslutning.beslutningKode()) { case AVSLÅTT_KODE_6 -> throw new PepNektetTilgangException("F-709170", "Tilgangskontroll.Avslag.Kode6"); @@ -75,30 +72,12 @@ private Object ikkeTilgang(AbacAttributtSamling attributter, Tilgangsbeslutning } } - private AbacAttributtSamling hentAttributter(InvocationContext invocationContext) { - Class clazz = getOpprinneligKlasse(invocationContext); - var method = invocationContext.getMethod(); - var serviceType = clazz.getAnnotation(WebService.class) != null ? ServiceType.WEBSERVICE : ServiceType.REST; - var attributter = ServiceType.WEBSERVICE.equals(serviceType) - ? AbacAttributtSamling.medSamlToken(tokenProvider.samlToken()) - : AbacAttributtSamling.medJwtToken(tokenProvider.openIdToken().token()); - var beskyttetRessurs = method.getAnnotation(BeskyttetRessurs.class); - - attributter.setActionType(mapToBeskyttetRessursActionAttributt(beskyttetRessurs)); - - attributter.setResource(finnResource(beskyttetRessurs)); - - attributter.setAction(utledAction(clazz, method, serviceType)); - return attributter; - } - private BeskyttetRessursAttributter hentBeskyttetRessursAttributter(InvocationContext invocationContext, AbacDataAttributter dataAttributter) { Class clazz = getOpprinneligKlasse(invocationContext); var method = invocationContext.getMethod(); var beskyttetRessurs = method.getAnnotation(BeskyttetRessurs.class); - // Todo fjerne når relevante endepunkt er annotert - da henter vi fra beskyttetressurs . serviceType - var serviceType = clazz.getAnnotation(WebService.class) != null ? ServiceType.WEBSERVICE : ServiceType.REST; + var serviceType = beskyttetRessurs.serviceType(); var token = ServiceType.WEBSERVICE.equals(serviceType) ? Token.withSamlToken(tokenProvider.samlToken()) @@ -108,7 +87,7 @@ private BeskyttetRessursAttributter hentBeskyttetRessursAttributter(InvocationCo .medUserId(tokenProvider.getUid()) .medToken(token) .medServiceType(serviceType) - .medActionType(mapToActionType(beskyttetRessurs)) + .medActionType(beskyttetRessurs.actionType()) .medResourceType(finnResource(beskyttetRessurs)) .medPepId(pep.pepId()) .medServicePath(utledAction(clazz, method, serviceType)) @@ -168,8 +147,8 @@ private static void leggTil(AbacDataAttributter attributter, TilpassetAbacAttrib @SuppressWarnings("rawtypes") private static Class getOpprinneligKlasse(InvocationContext invocationContext) { Object target = invocationContext.getTarget(); - if (target instanceof TargetInstanceProxy) { - return ((TargetInstanceProxy) target).weld_getTargetClass(); + if (target instanceof TargetInstanceProxy tip) { + return tip.weld_getTargetClass(); } return target.getClass(); } @@ -178,32 +157,6 @@ private static String utledAction(Class clazz, Method method, ServiceType ser return ActionUthenter.action(clazz, method, serviceType); } - private static ActionType mapToActionType(BeskyttetRessurs beskyttetRessurs) { - if (!ActionType.DUMMY.equals(beskyttetRessurs.actionType())) { - return beskyttetRessurs.actionType(); - } - return switch (beskyttetRessurs.action()) { - case READ -> ActionType.READ; - case CREATE -> ActionType.CREATE; - case DELETE -> ActionType.DELETE; - case UPDATE -> ActionType.UPDATE; - case DUMMY -> ActionType.DUMMY; - }; - } - - private static BeskyttetRessursActionAttributt mapToBeskyttetRessursActionAttributt(BeskyttetRessurs beskyttetRessurs) { - if (!ActionType.DUMMY.equals(beskyttetRessurs.actionType())) { - return switch (beskyttetRessurs.actionType()) { - case READ -> BeskyttetRessursActionAttributt.READ; - case CREATE -> BeskyttetRessursActionAttributt.CREATE; - case DELETE -> BeskyttetRessursActionAttributt.DELETE; - case UPDATE -> BeskyttetRessursActionAttributt.UPDATE; - default -> BeskyttetRessursActionAttributt.DUMMY; - }; - } - return beskyttetRessurs.action(); - } - private static String finnResource(BeskyttetRessurs beskyttetRessurs) { if (!beskyttetRessurs.property().isEmpty() && ENV.getProperty(beskyttetRessurs.property()) != null) { return ENV.getProperty(beskyttetRessurs.property()); diff --git a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/NavAbacCommonAttributter.java b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/NavAbacCommonAttributter.java deleted file mode 100644 index a38422547..000000000 --- a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/NavAbacCommonAttributter.java +++ /dev/null @@ -1,25 +0,0 @@ -package no.nav.vedtak.sikkerhet.abac; - -/** - * Inneholder subset av konstanter deklareret i aba-common-attributter modul i - * Nav. - * - * @see abac-common-attributes-alfa / CommonAttributter. - */ -public class NavAbacCommonAttributter { - - public static final String ENVIRONMENT_FELLES_TOKENX_TOKEN_BODY = "no.nav.abac.attributter.environment.felles.tokenx_token_body"; - public static final String ENVIRONMENT_FELLES_SAML_TOKEN = "no.nav.abac.attributter.environment.felles.saml_token"; - public static final String ENVIRONMENT_FELLES_OIDC_TOKEN_BODY = "no.nav.abac.attributter.environment.felles.oidc_token_body"; - public static final String ENVIRONMENT_FELLES_PEP_ID = "no.nav.abac.attributter.environment.felles.pep_id"; - public static final String RESOURCE_FELLES_RESOURCE_TYPE = "no.nav.abac.attributter.resource.felles.resource_type"; - public static final String RESOURCE_FELLES_DOMENE = "no.nav.abac.attributter.resource.felles.domene"; - public static final String RESOURCE_FELLES_PERSON_NAVN = "no.nav.abac.attributter.resource.felles.person.navn"; - public static final String XACML10_ACTION_ACTION_ID = "urn:oasis:names:tc:xacml:1.0:action:action-id"; - public static final String RESOURCE_FELLES_PERSON_FNR = "no.nav.abac.attributter.resource.felles.person.fnr"; - public static final String RESOURCE_FELLES_PERSON_AKTOERID_RESOURCE = "no.nav.abac.attributter.resource.felles.person.aktoerId_resource"; - public static final String XACML10_SUBJECT_ID = "urn:oasis:names:tc:xacml:1.0:subject:subject-id"; - public static final String SUBJECT_TYPE = "no.nav.abac.attributter.subject.felles.subjectType"; - public static final String SUBJECT_LEVEL = "no.nav.abac.attributter.subject.felles.authenticationLevel"; - -} diff --git a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/PdpKlient.java b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/PdpKlient.java index afc3cb608..1a8c7a7bd 100644 --- a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/PdpKlient.java +++ b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/PdpKlient.java @@ -5,13 +5,6 @@ public interface PdpKlient { - /** - * Key i PdpRequest hvor token informasjon ligger. - */ - String ENVIRONMENT_AUTH_TOKEN = "no.nav.vedtak.sikkerhet.pdp.AbacIdToken"; - - Tilgangsbeslutning forespørTilgang(PdpRequest pdpRequest); - Tilgangsbeslutning forespørTilgang(BeskyttetRessursAttributter beskyttetRessursAttributter, String domene, AppRessursData appRessursData); } diff --git a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/PdpRequest.java b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/PdpRequest.java deleted file mode 100644 index 4845741d5..000000000 --- a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/PdpRequest.java +++ /dev/null @@ -1,61 +0,0 @@ -package no.nav.vedtak.sikkerhet.abac; - -import java.util.ArrayList; -import java.util.Collection; -import java.util.Collections; -import java.util.HashMap; -import java.util.List; -import java.util.Map; -import java.util.Objects; -import java.util.Optional; - -public class PdpRequest { - - private final Map attributeMap; - - public PdpRequest() { - this(new HashMap<>()); - } - - PdpRequest(Map attributeMap) { - this.attributeMap = attributeMap; - } - - public void put(String key, Object value) { - Objects.requireNonNull(key, "Key must not be null"); - attributeMap.put(key, value); - } - - public Object get(String key) { - Objects.requireNonNull(key, "Key must not be null"); - return attributeMap.get(key); - } - - public String getString(String key) { - Objects.requireNonNull(key, "Key must not be null"); - return (String) attributeMap.get(key); - } - - public Optional getOptional(String key) { - return Optional.ofNullable(getString(key)); - } - - @SuppressWarnings("unchecked") - public List getListOfString(String key) { - Objects.requireNonNull(key, "Key must not be null"); - if (attributeMap.containsKey(key)) { - return new ArrayList<>((Collection) attributeMap.get(key)); - } - return Collections.emptyList(); - } - - public int getAntall(String key) { - return getListOfString(key).size(); - } - - @Override - public String toString() { - return getClass().getSimpleName() + " [attributeMap=" + attributeMap + "]"; - } - -} diff --git a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/PdpRequestBuilder.java b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/PdpRequestBuilder.java index 3cffffbf3..4bc3a2873 100644 --- a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/PdpRequestBuilder.java +++ b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/PdpRequestBuilder.java @@ -4,18 +4,10 @@ public interface PdpRequestBuilder { - PdpRequest lagPdpRequest(AbacAttributtSamling attributter); - default String abacDomene() { return "foreldrepenger"; } - default boolean nyttAbacGrensesnitt() { - return false; - } - - default AppRessursData lagAppRessursData(AbacDataAttributter dataAttributter) { - throw new IllegalStateException("Utviklerfeil. Må implementeres for å enable nyttAbacGrensesnitt"); - } + AppRessursData lagAppRessursData(AbacDataAttributter dataAttributter); } diff --git a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/Pep.java b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/Pep.java index 785dd4e40..e035d48e5 100644 --- a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/Pep.java +++ b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/Pep.java @@ -5,17 +5,8 @@ public interface Pep { - default Tilgangsbeslutning vurderTilgang(AbacAttributtSamling attributter) { - throw new IllegalArgumentException("Utviklerfeil mangler impl av Pep-metode"); - } - Tilgangsbeslutning vurderTilgang(BeskyttetRessursAttributter beskyttetRessursAttributter); - default boolean nyttAbacGrensesnitt() { - // Implementert ved å sjekke tilsvarende metode i PdpRequestBuilder - return true; - } - default String pepId() { return Environment.current().getNaisAppName(); } diff --git a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/PepImpl.java b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/PepImpl.java index fded43d71..e97d1db86 100644 --- a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/PepImpl.java +++ b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/PepImpl.java @@ -2,8 +2,6 @@ import static no.nav.vedtak.sikkerhet.abac.AbacResultat.AVSLÅTT_ANNEN_ÅRSAK; import static no.nav.vedtak.sikkerhet.abac.AbacResultat.GODKJENT; -import static no.nav.vedtak.sikkerhet.abac.NavAbacCommonAttributter.RESOURCE_FELLES_PERSON_AKTOERID_RESOURCE; -import static no.nav.vedtak.sikkerhet.abac.NavAbacCommonAttributter.RESOURCE_FELLES_PERSON_FNR; import java.util.Set; @@ -51,16 +49,6 @@ protected Set konfigurePipUsers(String pipUsers) { return Set.of(); } - @Override - public Tilgangsbeslutning vurderTilgang(AbacAttributtSamling attributter) { - var pdpRequest = builder.lagPdpRequest(attributter); - - if (PIP.equals(attributter.getResource())) { - return vurderTilgangTilPipTjeneste(pdpRequest, attributter); - } - return pdpKlient.forespørTilgang(pdpRequest); - } - @Override public Tilgangsbeslutning vurderTilgang(BeskyttetRessursAttributter beskyttetRessursAttributter) { var appRessurser = builder.lagAppRessursData(beskyttetRessursAttributter.getDataAttributter()); @@ -71,54 +59,14 @@ public Tilgangsbeslutning vurderTilgang(BeskyttetRessursAttributter beskyttetRes return pdpKlient.forespørTilgang(beskyttetRessursAttributter, builder.abacDomene(), appRessurser); } - @Override - public boolean nyttAbacGrensesnitt() { - return builder.nyttAbacGrensesnitt(); - } - - protected Tilgangsbeslutning vurderTilgangTilPipTjeneste(PdpRequest pdpRequest, AbacAttributtSamling attributter) { - String uid = tokenProvider.getUid(); - if (pipUsers.contains(uid.toLowerCase())) { - return lagPipPermit(pdpRequest); - } - var tilgangsbeslutning = lagPipDeny(pdpRequest); - auditlogger.loggDeny(uid, tilgangsbeslutning, attributter); - return tilgangsbeslutning; - } - protected Tilgangsbeslutning vurderTilgangTilPipTjeneste(BeskyttetRessursAttributter beskyttetRessursAttributter, AppRessursData appRessursData) { String uid = tokenProvider.getUid(); if (pipUsers.contains(uid.toLowerCase())) { return new Tilgangsbeslutning(GODKJENT, beskyttetRessursAttributter, appRessursData); } var tilgangsbeslutning = new Tilgangsbeslutning(AVSLÅTT_ANNEN_ÅRSAK, beskyttetRessursAttributter, appRessursData); - auditlogger.loggDeny(uid, tilgangsbeslutning, null); + auditlogger.loggDeny(uid, tilgangsbeslutning); return tilgangsbeslutning; } - protected Tilgangsbeslutning lagPipPermit(PdpRequest pdpRequest) { - return new Tilgangsbeslutning(GODKJENT, pdpRequest); - } - - protected Tilgangsbeslutning lagPipDeny(PdpRequest pdpRequest) { - return new Tilgangsbeslutning(AVSLÅTT_ANNEN_ÅRSAK, pdpRequest); - } - - protected int antallResources(PdpRequest pdpRequest) { - return Math.max(1, antallIdenter(pdpRequest)) * Math.max(1, getAntallResources(pdpRequest)); - } - - protected int antallIdenter(PdpRequest pdpRequest) { - // antall identer involvert i en request (eks. default - antall aktørId + antall - // fnr) - return pdpRequest.getAntall(RESOURCE_FELLES_PERSON_AKTOERID_RESOURCE) - + pdpRequest.getAntall(RESOURCE_FELLES_PERSON_FNR); - } - - protected int getAntallResources(@SuppressWarnings("unused") PdpRequest pdpRequest) { - // Template method. Regn evt ut antall aksjonspunkter el andre typer ressurser - // som behandles i denne requesten (hvis mer enn 1) - return 1; - } - } diff --git a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/Tilgangsbeslutning.java b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/Tilgangsbeslutning.java index b6768b14d..7d6c83a4b 100644 --- a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/Tilgangsbeslutning.java +++ b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/Tilgangsbeslutning.java @@ -3,15 +3,7 @@ import no.nav.vedtak.sikkerhet.abac.internal.BeskyttetRessursAttributter; import no.nav.vedtak.sikkerhet.abac.pdp.AppRessursData; -public record Tilgangsbeslutning(AbacResultat beslutningKode, PdpRequest pdpRequest, BeskyttetRessursAttributter beskyttetRessursAttributter, AppRessursData appRessursData) { - - public Tilgangsbeslutning(AbacResultat beslutningKode, PdpRequest pdpRequest) { - this(beslutningKode, pdpRequest, null, null); - } - - public Tilgangsbeslutning(AbacResultat beslutningKode, BeskyttetRessursAttributter beskyttetRessursAttributter, AppRessursData appRessursData) { - this(beslutningKode, null, beskyttetRessursAttributter, appRessursData); - } +public record Tilgangsbeslutning(AbacResultat beslutningKode, BeskyttetRessursAttributter beskyttetRessursAttributter, AppRessursData appRessursData) { public boolean fikkTilgang() { return beslutningKode == AbacResultat.GODKJENT; diff --git a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/TokenProvider.java b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/TokenProvider.java index 11975824c..4df526374 100644 --- a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/TokenProvider.java +++ b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/TokenProvider.java @@ -13,14 +13,6 @@ public interface TokenProvider { */ String getUid(); - /** - * OIDC tokenet til brukeren. Helst fra følgende providere: Tokendings, AzureAD, STS, OpenAM. - * Sendes til PDP (Policy Decision Point) og gir informasjon til ABAC om subject og auth level. - * @return bruker OIDC token. - */ - @Deprecated(forRemoval = true) - String userToken(); - /** * OIDC tokenet til brukeren. Helst fra følgende providere: Tokendings, AzureAD, STS, OpenAM. * Sendes til PDP (Policy Decision Point) og gir informasjon til ABAC om subject og auth level. diff --git a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/pdp/AppRessursData.java b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/pdp/AppRessursData.java index 558af429c..f03f031d2 100644 --- a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/pdp/AppRessursData.java +++ b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/pdp/AppRessursData.java @@ -6,6 +6,12 @@ import java.util.Map; import java.util.Optional; import java.util.Set; +import java.util.stream.Collectors; + +import no.nav.vedtak.sikkerhet.abac.pipdata.PipAktørId; +import no.nav.vedtak.sikkerhet.abac.pipdata.PipBehandlingStatus; +import no.nav.vedtak.sikkerhet.abac.pipdata.PipFagsakStatus; +import no.nav.vedtak.sikkerhet.abac.pipdata.PipOverstyring; public class AppRessursData { @@ -56,6 +62,11 @@ public Builder() { return this; } + public Builder leggTilAbacAktørIdSet(Collection aktørId) { + pdpRequest.aktørIdSet.addAll(aktørId.stream().map(PipAktørId::getVerdi).collect(Collectors.toSet())); + return this; + } + public Builder leggTilFødselsnummer(String fnr) { pdpRequest.fødselsnumre.add(fnr); return this; @@ -84,16 +95,16 @@ public Builder leggTilRessurs(RessursDataKey key, RessursDataValue value) { return this; } - public Builder medBehandlingStatus(BehandlingStatus behandlingStatus) { + public Builder medBehandlingStatus(PipBehandlingStatus behandlingStatus) { return leggTilRessurs(ForeldrepengerDataKeys.BEHANDLING_STATUS, behandlingStatus); } - public Builder medFagsakStatus(FagsakStatus fagsakStatus) { + public Builder medFagsakStatus(PipFagsakStatus fagsakStatus) { return leggTilRessurs(ForeldrepengerDataKeys.FAGSAK_STATUS, fagsakStatus); } - public Builder medOverstyring(Overstyring overstyring) { - if (!Overstyring.OVERSTYRING.equals(overstyring)) { + public Builder medOverstyring(PipOverstyring overstyring) { + if (!PipOverstyring.OVERSTYRING.equals(overstyring)) { return this; } return leggTilRessurs(ForeldrepengerDataKeys.AKSJONSPUNKT_OVERSTYRING, overstyring); diff --git a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/pipdata/AbacPipDto.java b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/pipdata/AbacPipDto.java new file mode 100644 index 000000000..421037c98 --- /dev/null +++ b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/pipdata/AbacPipDto.java @@ -0,0 +1,8 @@ +package no.nav.vedtak.sikkerhet.abac.pipdata; + +import java.util.Set; + +import javax.validation.Valid; + +public record AbacPipDto(@Valid Set aktørIder, PipFagsakStatus fagsakStatus, PipBehandlingStatus behandlingStatus) { +} diff --git "a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/pipdata/PipAkt\303\270rId.java" "b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/pipdata/PipAkt\303\270rId.java" new file mode 100644 index 000000000..e6e541212 --- /dev/null +++ "b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/pipdata/PipAkt\303\270rId.java" @@ -0,0 +1,78 @@ +package no.nav.vedtak.sikkerhet.abac.pipdata; + +import java.io.Serializable; +import java.util.Objects; +import java.util.regex.Pattern; + +import javax.validation.constraints.NotNull; + +import com.fasterxml.jackson.annotation.JsonValue; + +import no.nav.vedtak.sikkerhet.abac.pdp.RessursDataValue; + +/** + * Id som genereres fra NAV Aktørregister. + * Denne iden benyttes til interne forhold i Nav og vil ikke endres f.eks. dersom bruker går fra DNR til FNR i Folkeregisteret. + */ +public class PipAktørId implements Serializable, Comparable, RessursDataValue { + private static final String VALID_REGEXP = "^\\d{13}$"; + + private static final Pattern VALID = Pattern.compile(VALID_REGEXP, Pattern.CASE_INSENSITIVE); + + @JsonValue + @NotNull + @javax.validation.constraints.Pattern(regexp = VALID_REGEXP, message = "aktørId ${validatedValue} har ikke gyldig verdi (pattern '{regexp}')") + private String aktørId; // NOSONAR + + public PipAktørId(Long aktørId) { + Objects.requireNonNull(aktørId, "aktørId"); + this.aktørId = validateAktørId(aktørId.toString()); + } + + public PipAktørId(String aktørId) { + this.aktørId = validateAktørId(aktørId); + } + + private String validateAktørId(String aktørId) { + Objects.requireNonNull(aktørId, "aktørId"); + if (!VALID.matcher(aktørId).matches()) { + // skal ikke skje, funksjonelle feilmeldinger håndteres ikke her. + throw new IllegalArgumentException("Ugyldig aktørId '" + aktørId +"', tillatt pattern: "+ VALID_REGEXP); + } + return aktørId; + } + + @Override + public String getVerdi() { + return aktørId; + } + + @Override + public boolean equals(Object obj) { + if (obj == this) { + return true; + } + if (obj == null || !getClass().equals(obj.getClass())) { + return false; + } + var other = (PipAktørId) obj; + return Objects.equals(aktørId, other.aktørId); + } + + @Override + public int hashCode() { + return Objects.hash(aktørId); + } + + @Override + public String toString() { + return getClass().getSimpleName() + ""; + } + + @Override + public int compareTo(PipAktørId o) { + // TODO: Burde ikke finnes + return aktørId.compareTo(o.aktørId); + } + +} diff --git a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/pdp/BehandlingStatus.java b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/pipdata/PipBehandlingStatus.java similarity index 68% rename from felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/pdp/BehandlingStatus.java rename to felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/pipdata/PipBehandlingStatus.java index c4fabb90e..5794fb3f3 100644 --- a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/pdp/BehandlingStatus.java +++ b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/pipdata/PipBehandlingStatus.java @@ -1,15 +1,16 @@ -package no.nav.vedtak.sikkerhet.abac.pdp; +package no.nav.vedtak.sikkerhet.abac.pipdata; +import no.nav.vedtak.sikkerhet.abac.pdp.RessursDataValue; import no.nav.vedtak.sikkerhet.abac.policy.ForeldrepengerAttributter; -public enum BehandlingStatus implements RessursDataValue { +public enum PipBehandlingStatus implements RessursDataValue { OPPRETTET(ForeldrepengerAttributter.VALUE_FP_BEHANDLING_STATUS_OPPRETTET), UTREDES(ForeldrepengerAttributter.VALUE_FP_BEHANDLING_STATUS_UTREDES), FATTE_VEDTAK(ForeldrepengerAttributter.VALUE_FP_BEHANDLING_STATUS_VEDTAK); private final String verdi; - BehandlingStatus(String verdi) { + PipBehandlingStatus(String verdi) { this.verdi = verdi; } diff --git a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/pdp/FagsakStatus.java b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/pipdata/PipFagsakStatus.java similarity index 64% rename from felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/pdp/FagsakStatus.java rename to felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/pipdata/PipFagsakStatus.java index d9d2d895f..7c9c7e2da 100644 --- a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/pdp/FagsakStatus.java +++ b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/pipdata/PipFagsakStatus.java @@ -1,14 +1,15 @@ -package no.nav.vedtak.sikkerhet.abac.pdp; +package no.nav.vedtak.sikkerhet.abac.pipdata; +import no.nav.vedtak.sikkerhet.abac.pdp.RessursDataValue; import no.nav.vedtak.sikkerhet.abac.policy.ForeldrepengerAttributter; -public enum FagsakStatus implements RessursDataValue { +public enum PipFagsakStatus implements RessursDataValue { OPPRETTET(ForeldrepengerAttributter.VALUE_FP_SAK_STATUS_OPPRETTET), UNDER_BEHANDLING(ForeldrepengerAttributter.VALUE_FP_SAK_STATUS_BEHANDLES); private final String verdi; - FagsakStatus(String verdi) { + PipFagsakStatus(String verdi) { this.verdi = verdi; } diff --git a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/pdp/Overstyring.java b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/pipdata/PipOverstyring.java similarity index 60% rename from felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/pdp/Overstyring.java rename to felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/pipdata/PipOverstyring.java index 0370457dc..64ec57f31 100644 --- a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/pdp/Overstyring.java +++ b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/pipdata/PipOverstyring.java @@ -1,13 +1,14 @@ -package no.nav.vedtak.sikkerhet.abac.pdp; +package no.nav.vedtak.sikkerhet.abac.pipdata; +import no.nav.vedtak.sikkerhet.abac.pdp.RessursDataValue; import no.nav.vedtak.sikkerhet.abac.policy.ForeldrepengerAttributter; -public enum Overstyring implements RessursDataValue { +public enum PipOverstyring implements RessursDataValue { OVERSTYRING(ForeldrepengerAttributter.VALUE_FP_AKSJONSPUNKT_OVERSTYRING); private final String verdi; - Overstyring(String verdi) { + PipOverstyring(String verdi) { this.verdi = verdi; } diff --git a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/pdp/PdpConsumer.java b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/pdp/PdpConsumer.java index 1b7931030..f267aa40f 100644 --- a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/pdp/PdpConsumer.java +++ b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/pdp/PdpConsumer.java @@ -1,15 +1,9 @@ package no.nav.vedtak.sikkerhet.pdp; import no.nav.vedtak.sikkerhet.pdp.xacml.XacmlRequest; -import no.nav.vedtak.sikkerhet.pdp.xacml.XacmlRequestBuilder; import no.nav.vedtak.sikkerhet.pdp.xacml.XacmlResponse; public interface PdpConsumer { - default XacmlResponse evaluate(XacmlRequestBuilder request) { - throw new IllegalArgumentException("Utviklerfeil mangler impl av PdpConsumer-metode"); - } - default XacmlResponse evaluate(XacmlRequest request) { - throw new IllegalArgumentException("Utviklerfeil mangler impl av PdpConsumer-metode"); - } + XacmlResponse evaluate(XacmlRequest request); } diff --git a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/pdp/PdpConsumerImpl.java b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/pdp/PdpConsumerImpl.java index e4f8f1f21..96d0898cd 100644 --- a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/pdp/PdpConsumerImpl.java +++ b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/pdp/PdpConsumerImpl.java @@ -25,7 +25,6 @@ import no.nav.vedtak.exception.ManglerTilgangException; import no.nav.vedtak.mapper.json.DefaultJsonMapper; import no.nav.vedtak.sikkerhet.pdp.xacml.XacmlRequest; -import no.nav.vedtak.sikkerhet.pdp.xacml.XacmlRequestBuilder; import no.nav.vedtak.sikkerhet.pdp.xacml.XacmlResponse; @ApplicationScoped @@ -42,7 +41,6 @@ public class PdpConsumerImpl implements PdpConsumer { private ObjectReader reader; private URI pdpUrl; - private String brukernavn; private String basicCredentials; PdpConsumerImpl() { @@ -53,18 +51,12 @@ public PdpConsumerImpl(@KonfigVerdi(value = PDP_ENDPOINT_URL_KEY, defaultVerdi = @KonfigVerdi(SYSTEMBRUKER_USERNAME) String brukernavn, @KonfigVerdi(SYSTEMBRUKER_PASSWORD) String passord) { this.pdpUrl = URI.create(pdpUrl); - this.brukernavn = brukernavn; this.basicCredentials = basicCredentials(brukernavn, passord); // TODO - vurder om bør settes static final? this.client = HttpClient.newBuilder().connectTimeout(Duration.ofSeconds(10)).proxy(HttpClient.Builder.NO_PROXY).build(); this.reader = DefaultJsonMapper.getObjectMapper().readerFor(XacmlResponse.class); } - @Override - public XacmlResponse evaluate(XacmlRequestBuilder xacmlRequest) { - return evaluate(xacmlRequest.build()); - } - @Override public XacmlResponse evaluate(XacmlRequest xacmlRequest) { // TODO : hvilke headere trenger abac egentlig - utenom Auth og Content-type diff --git a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/pdp/PdpKlientImpl.java b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/pdp/PdpKlientImpl.java index 520cfbba8..350e7b38e 100644 --- a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/pdp/PdpKlientImpl.java +++ b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/pdp/PdpKlientImpl.java @@ -1,13 +1,5 @@ package no.nav.vedtak.sikkerhet.pdp; -import static no.nav.vedtak.sikkerhet.abac.NavAbacCommonAttributter.ENVIRONMENT_FELLES_OIDC_TOKEN_BODY; -import static no.nav.vedtak.sikkerhet.abac.NavAbacCommonAttributter.ENVIRONMENT_FELLES_PEP_ID; -import static no.nav.vedtak.sikkerhet.abac.NavAbacCommonAttributter.ENVIRONMENT_FELLES_SAML_TOKEN; -import static no.nav.vedtak.sikkerhet.abac.NavAbacCommonAttributter.ENVIRONMENT_FELLES_TOKENX_TOKEN_BODY; - -import java.nio.charset.StandardCharsets; -import java.text.ParseException; -import java.util.Base64; import java.util.List; import javax.enterprise.context.ApplicationScoped; @@ -16,31 +8,22 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import com.nimbusds.jwt.SignedJWT; - -import no.nav.foreldrepenger.konfig.Environment; import no.nav.vedtak.exception.TekniskException; import no.nav.vedtak.log.util.LoggerUtils; -import no.nav.vedtak.sikkerhet.abac.AbacIdToken; import no.nav.vedtak.sikkerhet.abac.AbacResultat; import no.nav.vedtak.sikkerhet.abac.PdpKlient; -import no.nav.vedtak.sikkerhet.abac.PdpRequest; import no.nav.vedtak.sikkerhet.abac.Tilgangsbeslutning; import no.nav.vedtak.sikkerhet.abac.internal.BeskyttetRessursAttributter; import no.nav.vedtak.sikkerhet.abac.pdp.AppRessursData; import no.nav.vedtak.sikkerhet.pdp.xacml.Advice; import no.nav.vedtak.sikkerhet.pdp.xacml.Decision; -import no.nav.vedtak.sikkerhet.pdp.xacml.XacmlAttributeSet; -import no.nav.vedtak.sikkerhet.pdp.xacml.XacmlRequestBuilder; import no.nav.vedtak.sikkerhet.pdp.xacml.XacmlResponse; import no.nav.vedtak.sikkerhet.pdp.xacml.XacmlResponseMapper; @ApplicationScoped public class PdpKlientImpl implements PdpKlient { - private static final Environment ENV = Environment.current(); private static final Logger LOG = LoggerFactory.getLogger(PdpKlientImpl.class); - private XacmlRequestBuilderTjeneste xamlRequestBuilderTjeneste; private PdpConsumer pdp; @@ -48,18 +31,8 @@ public PdpKlientImpl() { } @Inject - public PdpKlientImpl(PdpConsumer pdp, XacmlRequestBuilderTjeneste xamlRequestBuilderTjeneste) { + public PdpKlientImpl(PdpConsumer pdp) { this.pdp = pdp; - this.xamlRequestBuilderTjeneste = xamlRequestBuilderTjeneste; - } - - @Override - public Tilgangsbeslutning forespørTilgang(PdpRequest req) { - var builder = xamlRequestBuilderTjeneste.lagXacmlRequestBuilder(req); - leggPåTokenInformasjon(builder, req); - var response = pdp.evaluate(builder); - var hovedresultat = resultatFraResponse(response); - return new Tilgangsbeslutning(hovedresultat, req); } @Override @@ -70,45 +43,6 @@ public PdpKlientImpl(PdpConsumer pdp, XacmlRequestBuilderTjeneste xamlRequestBui return new Tilgangsbeslutning(hovedresultat, beskyttetRessursAttributter, appRessursData); } - static void leggPåTokenInformasjon(XacmlRequestBuilder builder, PdpRequest req) { - var attrs = new XacmlAttributeSet(); - attrs.addAttribute(ENVIRONMENT_FELLES_PEP_ID, getPepId()); - var idToken = AbacIdToken.class.cast(req.get(ENVIRONMENT_AUTH_TOKEN)); - switch (idToken.getTokenType()) { - case OIDC: - String key = ENVIRONMENT_FELLES_OIDC_TOKEN_BODY; - LOG.trace("Legger ved token med type oidc på {}", key); - try { - attrs.addAttribute(key, SignedJWT.parse(idToken.getToken()).getPayload().toBase64URL().toString()); - } catch (ParseException e) { - throw new IllegalArgumentException("Ukjent token type"); - } - break; - case TOKENX: - String keyX = ENVIRONMENT_FELLES_TOKENX_TOKEN_BODY; - LOG.trace("Legger IKKE ved token med type tokenX på {}", keyX); - /* - try { - attrs.addAttribute(keyX, - SignedJWT.parse(idToken.getToken()).getPayload().toBase64URL().toString()); - } catch (ParseException e) { - throw new IllegalArgumentException("Ukjent token type"); - } - */ - break; - case SAML: - LOG.trace("Legger på token med type saml"); - attrs.addAttribute(ENVIRONMENT_FELLES_SAML_TOKEN, base64encode(idToken.getToken())); - break; - } - - builder.addEnvironmentAttributeSet(attrs); - } - - private static String base64encode(String samlToken) { - return Base64.getEncoder().encodeToString(samlToken.getBytes(StandardCharsets.UTF_8)); - } - private static AbacResultat resultatFraResponse(XacmlResponse response) { var decisions = XacmlResponseMapper.getDecisions(response); @@ -160,8 +94,4 @@ private static void handlObligation(XacmlResponse response) { throw new TekniskException("F-576027", String.format("Mottok ukjente obligations fra PDP: %s", obligations)); } } - - private static String getPepId() { - return ENV.getNaisAppName(); - } } diff --git a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/pdp/XacmlRequestBuilderTjeneste.java b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/pdp/XacmlRequestBuilderTjeneste.java deleted file mode 100644 index 709b54de4..000000000 --- a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/pdp/XacmlRequestBuilderTjeneste.java +++ /dev/null @@ -1,17 +0,0 @@ -package no.nav.vedtak.sikkerhet.pdp; - -import no.nav.vedtak.sikkerhet.abac.PdpRequest; -import no.nav.vedtak.sikkerhet.pdp.xacml.XacmlRequestBuilder; - -public interface XacmlRequestBuilderTjeneste { - /** - * Legger på de attributter som trengs for vurdering av abac-policy - * - * @param pdpRequest attributter som systemet har plukket ut som relevant for - * requestet - * @return XacmlRequestBuilder - */ - default XacmlRequestBuilder lagXacmlRequestBuilder(PdpRequest req) { - return new XacmlRequestBuilder(); - } -} diff --git a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/pdp/xacml/XacmlAttributeSet.java b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/pdp/xacml/XacmlAttributeSet.java deleted file mode 100644 index bf4a6e73b..000000000 --- a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/pdp/xacml/XacmlAttributeSet.java +++ /dev/null @@ -1,27 +0,0 @@ -package no.nav.vedtak.sikkerhet.pdp.xacml; - -import java.util.ArrayList; -import java.util.List; -import java.util.Objects; - -public class XacmlAttributeSet { - private List attributes = new ArrayList<>(); - - public XacmlAttributeSet addAttribute(String id, String value) { - Objects.requireNonNull(id, "Name in JsonObject's name/value pair"); - Objects.requireNonNull(value, "Value in JsonObject's name/value pair"); - attributes.add(new XacmlRequest.AttributeAssignment(id, value)); - return this; - } - - public XacmlAttributeSet addAttribute(String id, int value) { - Objects.requireNonNull(id, "Name in JsonObject's name/value pair"); - Objects.requireNonNull(value, "Value in JsonObject's name/value pair"); - attributes.add(new XacmlRequest.AttributeAssignment(id, value)); - return this; - } - - List getAttributes() { - return attributes; - } -} diff --git a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/pdp/xacml/XacmlRequestBuilder.java b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/pdp/xacml/XacmlRequestBuilder.java deleted file mode 100644 index 10083619e..000000000 --- a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/pdp/xacml/XacmlRequestBuilder.java +++ /dev/null @@ -1,67 +0,0 @@ -package no.nav.vedtak.sikkerhet.pdp.xacml; - -import java.util.ArrayList; -import java.util.Collection; -import java.util.EnumMap; -import java.util.LinkedHashMap; -import java.util.List; -import java.util.Map; -import java.util.Set; - -public class XacmlRequestBuilder { - - private Map> attributeSets = new EnumMap<>(Category.class); - - public XacmlRequestBuilder addResourceAttributeSet(XacmlAttributeSet attributeSet) { - addAttributeSetInCategory(Category.Resource, attributeSet); - return this; - } - - public XacmlRequestBuilder addEnvironmentAttributeSet(XacmlAttributeSet attributeSet) { - addAttributeSetInCategory(Category.Environment, attributeSet); - return this; - } - - public XacmlRequestBuilder addActionAttributeSet(XacmlAttributeSet attributeSet) { - addAttributeSetInCategory(Category.Action, attributeSet); - return this; - } - - public XacmlRequestBuilder addSubjectAttributeSet(XacmlAttributeSet attributeSet) { - addAttributeSetInCategory(Category.AccessSubject, attributeSet); - return this; - } - - private void addAttributeSetInCategory(Category category, XacmlAttributeSet decisionPoint) { - - if (attributeSets.containsKey(category)) { - attributeSets.get(category).add(decisionPoint); - } else { - List setList = new ArrayList<>(); - setList.add(decisionPoint); - attributeSets.put(category, setList); - } - } - - public XacmlRequest build() { - var attributeMap = new LinkedHashMap>(); - - Set keys = attributeSets.keySet(); - for (Category xacmlCategory : keys) { - attributeMap.putIfAbsent(xacmlCategory, new ArrayList<>()); - List attrsList = attributeSets.get(xacmlCategory); - var attrList = attrsList.stream() - .map(XacmlAttributeSet::getAttributes) - .flatMap(Collection::stream) - .distinct() - .toList(); - var rq = new XacmlRequest.Attributes(attrList); - attributeMap.get(xacmlCategory).add(rq); - } - - var request = new XacmlRequest(attributeMap); - - attributeSets.clear(); - return request; - } -} diff --git a/felles/abac/src/test/java/no/nav/vedtak/sikkerhet/abac/DummyRequestBuilder.java b/felles/abac/src/test/java/no/nav/vedtak/sikkerhet/abac/DummyRequestBuilder.java index df387c705..1cc5b1e9a 100644 --- a/felles/abac/src/test/java/no/nav/vedtak/sikkerhet/abac/DummyRequestBuilder.java +++ b/felles/abac/src/test/java/no/nav/vedtak/sikkerhet/abac/DummyRequestBuilder.java @@ -10,11 +10,6 @@ @Alternative @Priority(1) class DummyRequestBuilder implements PdpRequestBuilder { - @Override - public PdpRequest lagPdpRequest(AbacAttributtSamling attributter) { - return new PdpRequest(); - } - @Override public AppRessursData lagAppRessursData(AbacDataAttributter attributter) { return AppRessursData.builder().build(); diff --git a/felles/abac/src/test/java/no/nav/vedtak/sikkerhet/abac/PdpRequestTest.java b/felles/abac/src/test/java/no/nav/vedtak/sikkerhet/abac/PdpRequestTest.java deleted file mode 100644 index db9bb3492..000000000 --- a/felles/abac/src/test/java/no/nav/vedtak/sikkerhet/abac/PdpRequestTest.java +++ /dev/null @@ -1,79 +0,0 @@ -package no.nav.vedtak.sikkerhet.abac; - -import static no.nav.vedtak.sikkerhet.abac.NavAbacCommonAttributter.RESOURCE_FELLES_PERSON_AKTOERID_RESOURCE; -import static no.nav.vedtak.sikkerhet.abac.NavAbacCommonAttributter.RESOURCE_FELLES_PERSON_FNR; -import static no.nav.vedtak.sikkerhet.abac.NavAbacCommonAttributter.RESOURCE_FELLES_PERSON_NAVN; -import static org.assertj.core.api.Assertions.assertThat; - -import java.util.LinkedHashSet; -import java.util.List; -import java.util.Optional; - -import org.junit.jupiter.api.Test; - -class PdpRequestTest { - - @Test - void skal_lage_kryssprodukt_mellom_identer() throws Exception { - PdpRequest req = new PdpRequest(); - var fnr = new LinkedHashSet<>(); - fnr.add("11111111111"); - fnr.add("22222222222"); - fnr.add("33333333333"); - fnr.add("44444444444"); - req.put(RESOURCE_FELLES_PERSON_FNR, fnr); - var aktørId = new LinkedHashSet<>(); - aktørId.add("1111"); - aktørId.add("2222"); - req.put(RESOURCE_FELLES_PERSON_AKTOERID_RESOURCE, aktørId); - - assertThat(getElementFromListByKeyAndIndex(req, RESOURCE_FELLES_PERSON_FNR, 0)) - .hasValueSatisfying(it -> assertThat(it).isEqualTo("11111111111")); - assertThat(getElementFromListByKeyAndIndex(req, RESOURCE_FELLES_PERSON_FNR, 1)) - .hasValueSatisfying(it -> assertThat(it).isEqualTo("22222222222")); - assertThat(getElementFromListByKeyAndIndex(req, RESOURCE_FELLES_PERSON_FNR, 2)) - .hasValueSatisfying(it -> assertThat(it).isEqualTo("33333333333")); - assertThat(getElementFromListByKeyAndIndex(req, RESOURCE_FELLES_PERSON_FNR, 3)) - .hasValueSatisfying(it -> assertThat(it).isEqualTo("44444444444")); - assertThat(getElementFromListByKeyAndIndex(req, RESOURCE_FELLES_PERSON_AKTOERID_RESOURCE, 0)) - .hasValueSatisfying(it -> assertThat(it).isEqualTo("1111")); - assertThat(getElementFromListByKeyAndIndex(req, RESOURCE_FELLES_PERSON_AKTOERID_RESOURCE, 1)) - .hasValueSatisfying(it -> assertThat(it).isEqualTo("2222")); - assertThat(getElementFromListByKeyAndIndex(req, RESOURCE_FELLES_PERSON_FNR, 4)).isNotPresent(); - assertThat(getElementFromListByKeyAndIndex(req, RESOURCE_FELLES_PERSON_FNR, 5)).isNotPresent(); - assertThat(getElementFromListByKeyAndIndex(req, RESOURCE_FELLES_PERSON_FNR, 6)).isNotPresent(); - assertThat(getElementFromListByKeyAndIndex(req, RESOURCE_FELLES_PERSON_FNR, 7)).isNotPresent(); - assertThat(getElementFromListByKeyAndIndex(req, RESOURCE_FELLES_PERSON_AKTOERID_RESOURCE, 2)).isNotPresent(); - assertThat(getElementFromListByKeyAndIndex(req, RESOURCE_FELLES_PERSON_AKTOERID_RESOURCE, 3)).isNotPresent(); - } - - @Test - void skal_fungere_uten_fnr() throws Exception { - PdpRequest req = new PdpRequest(); - var at = List.of("a", "b"); - req.put(RESOURCE_FELLES_PERSON_NAVN, at); - - assertThat(req.getListOfString(RESOURCE_FELLES_PERSON_FNR)).isEmpty(); - assertThat(getElementFromListByKeyAndIndex(req, RESOURCE_FELLES_PERSON_FNR, 0)).isNotPresent(); - assertThat(getElementFromListByKeyAndIndex(req, RESOURCE_FELLES_PERSON_FNR, 1)).isNotPresent(); - assertThat(getElementFromListByKeyAndIndex(req, RESOURCE_FELLES_PERSON_NAVN, 0)).hasValueSatisfying(it -> assertThat(it).isEqualTo("a")); - assertThat(getElementFromListByKeyAndIndex(req, RESOURCE_FELLES_PERSON_NAVN, 1)).hasValueSatisfying(it -> assertThat(it).isEqualTo("b")); - } - - @Test - void skal_fungere_uten_fnr_og_uten_aksjonspunkt_type() throws Exception { - PdpRequest req = new PdpRequest(); - - assertThat(getElementFromListByKeyAndIndex(req, RESOURCE_FELLES_PERSON_FNR, 0)).isNotPresent(); - assertThat(getElementFromListByKeyAndIndex(req, RESOURCE_FELLES_PERSON_NAVN, 0)).isNotPresent(); - } - - private static Optional getElementFromListByKeyAndIndex(PdpRequest pdpRequest, String key, int index) { - List list = pdpRequest.getListOfString(key); - if (list.size() >= index + 1) { - return Optional.ofNullable(list.get(index)); - } - return Optional.empty(); - } - -} diff --git a/felles/abac/src/test/java/no/nav/vedtak/sikkerhet/abac/PepImplNyTest.java b/felles/abac/src/test/java/no/nav/vedtak/sikkerhet/abac/PepImplNyTest.java deleted file mode 100644 index d2c4e1891..000000000 --- a/felles/abac/src/test/java/no/nav/vedtak/sikkerhet/abac/PepImplNyTest.java +++ /dev/null @@ -1,107 +0,0 @@ -package no.nav.vedtak.sikkerhet.abac; - -import static no.nav.vedtak.sikkerhet.abac.policy.ForeldrepengerAttributter.RESOURCE_TYPE_INTERNAL_PIP; -import static org.assertj.core.api.AssertionsForClassTypes.assertThat; -import static org.mockito.ArgumentMatchers.any; -import static org.mockito.ArgumentMatchers.eq; -import static org.mockito.Mockito.mock; -import static org.mockito.Mockito.verify; -import static org.mockito.Mockito.verifyNoInteractions; -import static org.mockito.Mockito.when; - -import org.junit.jupiter.api.BeforeEach; -import org.junit.jupiter.api.Test; -import org.junit.jupiter.api.extension.ExtendWith; -import org.mockito.Mock; -import org.mockito.junit.jupiter.MockitoExtension; - -import no.nav.vedtak.sikkerhet.abac.beskyttet.ActionType; -import no.nav.vedtak.sikkerhet.abac.beskyttet.ServiceType; -import no.nav.vedtak.sikkerhet.abac.internal.BeskyttetRessursAttributter; -import no.nav.vedtak.sikkerhet.abac.internal.BeskyttetRessursInterceptorTest; -import no.nav.vedtak.sikkerhet.abac.pdp.AppRessursData; -import no.nav.vedtak.sikkerhet.abac.policy.ForeldrepengerAttributter; - -@ExtendWith(MockitoExtension.class) -class PepImplNyTest { - - private PepImpl pep; - @Mock - private TokenProvider tokenProvider; - @Mock - private PdpKlient pdpKlientMock; - @Mock - private PdpRequestBuilder pdpRequestBuilder; - - @BeforeEach - void setUp() { - pep = new PepImpl(pdpKlientMock, - tokenProvider, - pdpRequestBuilder, - mock(AbacAuditlogger.class), - "SRVFPLOS,SRVPDP"); - } - - @Test - void skal_gi_tilgang_til_srvpdp_for_piptjeneste() { - when(tokenProvider.getUid()).thenReturn("srvpdp"); - var attributter = lagBeskyttetRessursAttributterPip(); - - when(pdpRequestBuilder.lagAppRessursData(any())).thenReturn(AppRessursData.builder().build()); - - Tilgangsbeslutning permit = pep.vurderTilgang(attributter); - assertThat(permit.fikkTilgang()).isTrue(); - verifyNoInteractions(pdpKlientMock); - } - - @Test - void skal_nekte_tilgang_til_saksbehandler_for_piptjeneste() { - when(tokenProvider.getUid()).thenReturn("z142443"); - var attributter = lagBeskyttetRessursAttributterPip(); - - when(pdpRequestBuilder.lagAppRessursData(any())).thenReturn(AppRessursData.builder().build()); - - Tilgangsbeslutning permit = pep.vurderTilgang(attributter); - assertThat(permit.fikkTilgang()).isFalse(); - verifyNoInteractions(pdpKlientMock); - } - - @Test - void skal_kalle_pdp_for_annet_enn_pip_tjenester() { - when(tokenProvider.getUid()).thenReturn("z142443"); - var attributter = lagBeskyttetRessursAttributter(); - - when(pdpRequestBuilder.lagAppRessursData(any())).thenReturn(AppRessursData.builder().build()); - when(pdpRequestBuilder.abacDomene()).thenReturn("foreldrepenger"); - - @SuppressWarnings("unused") - Tilgangsbeslutning permit = pep.vurderTilgang(attributter); - verify(pdpKlientMock).forespørTilgang(eq(attributter), any(String.class), any(AppRessursData.class)); - } - - private BeskyttetRessursAttributter lagBeskyttetRessursAttributter() { - return BeskyttetRessursAttributter.builder() - .medUserId(tokenProvider.getUid()) - .medToken(Token.withOidcToken(BeskyttetRessursInterceptorTest.DUMMY_OPENID_TOKEN)) - .medResourceType(ForeldrepengerAttributter.RESOURCE_TYPE_FP_FAGSAK) - .medActionType(ActionType.READ) - .medPepId("local-app") - .medServicePath("/metode") - .medServiceType(ServiceType.REST) - .medDataAttributter(AbacDataAttributter.opprett()) - .build(); - } - - private BeskyttetRessursAttributter lagBeskyttetRessursAttributterPip() { - return BeskyttetRessursAttributter.builder() - .medUserId(tokenProvider.getUid()) - .medToken(Token.withOidcToken(BeskyttetRessursInterceptorTest.DUMMY_OPENID_TOKEN)) - .medResourceType(RESOURCE_TYPE_INTERNAL_PIP) - .medActionType(ActionType.READ) - .medPepId("local-app") - .medServicePath("/metode") - .medServiceType(ServiceType.REST) - .medDataAttributter(AbacDataAttributter.opprett()) - .build(); - } -} diff --git a/felles/abac/src/test/java/no/nav/vedtak/sikkerhet/abac/PepImplTest.java b/felles/abac/src/test/java/no/nav/vedtak/sikkerhet/abac/PepImplTest.java index a67dc37be..4960a927c 100644 --- a/felles/abac/src/test/java/no/nav/vedtak/sikkerhet/abac/PepImplTest.java +++ b/felles/abac/src/test/java/no/nav/vedtak/sikkerhet/abac/PepImplTest.java @@ -3,6 +3,7 @@ import static no.nav.vedtak.sikkerhet.abac.policy.ForeldrepengerAttributter.RESOURCE_TYPE_INTERNAL_PIP; import static org.assertj.core.api.AssertionsForClassTypes.assertThat; import static org.mockito.ArgumentMatchers.any; +import static org.mockito.ArgumentMatchers.eq; import static org.mockito.Mockito.mock; import static org.mockito.Mockito.verify; import static org.mockito.Mockito.verifyNoInteractions; @@ -14,7 +15,12 @@ import org.mockito.Mock; import org.mockito.junit.jupiter.MockitoExtension; -import no.nav.vedtak.sikkerhet.abac.AbacIdToken.TokenType; +import no.nav.vedtak.sikkerhet.abac.beskyttet.ActionType; +import no.nav.vedtak.sikkerhet.abac.beskyttet.ServiceType; +import no.nav.vedtak.sikkerhet.abac.internal.BeskyttetRessursAttributter; +import no.nav.vedtak.sikkerhet.abac.internal.BeskyttetRessursInterceptorTest; +import no.nav.vedtak.sikkerhet.abac.pdp.AppRessursData; +import no.nav.vedtak.sikkerhet.abac.policy.ForeldrepengerAttributter; @ExtendWith(MockitoExtension.class) class PepImplTest { @@ -39,12 +45,9 @@ void setUp() { @Test void skal_gi_tilgang_til_srvpdp_for_piptjeneste() { when(tokenProvider.getUid()).thenReturn("srvpdp"); - AbacAttributtSamling attributter = AbacAttributtSamling.medJwtToken("dummy", TokenType.OIDC) - .setResource(RESOURCE_TYPE_INTERNAL_PIP) - .setAction("READ"); + var attributter = lagBeskyttetRessursAttributterPip(); - when(pdpRequestBuilder.lagPdpRequest(attributter)) - .thenReturn(new PdpRequest()); + when(pdpRequestBuilder.lagAppRessursData(any())).thenReturn(AppRessursData.builder().build()); Tilgangsbeslutning permit = pep.vurderTilgang(attributter); assertThat(permit.fikkTilgang()).isTrue(); @@ -54,12 +57,9 @@ void skal_gi_tilgang_til_srvpdp_for_piptjeneste() { @Test void skal_nekte_tilgang_til_saksbehandler_for_piptjeneste() { when(tokenProvider.getUid()).thenReturn("z142443"); - AbacAttributtSamling attributter = AbacAttributtSamling.medJwtToken("dummy", TokenType.OIDC) - .setResource(RESOURCE_TYPE_INTERNAL_PIP) - .setAction("READ"); + var attributter = lagBeskyttetRessursAttributterPip(); - when(pdpRequestBuilder.lagPdpRequest(attributter)) - .thenReturn(new PdpRequest()); + when(pdpRequestBuilder.lagAppRessursData(any())).thenReturn(AppRessursData.builder().build()); Tilgangsbeslutning permit = pep.vurderTilgang(attributter); assertThat(permit.fikkTilgang()).isFalse(); @@ -68,15 +68,40 @@ void skal_nekte_tilgang_til_saksbehandler_for_piptjeneste() { @Test void skal_kalle_pdp_for_annet_enn_pip_tjenester() { - AbacAttributtSamling attributter = AbacAttributtSamling.medJwtToken("dummy", TokenType.OIDC) - .setResource("no.nav.abac.attributter.foreldrepenger.fagsak") - .setAction("READ"); + when(tokenProvider.getUid()).thenReturn("z142443"); + var attributter = lagBeskyttetRessursAttributter(); - when(pdpRequestBuilder.lagPdpRequest(attributter)) - .thenReturn(new PdpRequest()); + when(pdpRequestBuilder.lagAppRessursData(any())).thenReturn(AppRessursData.builder().build()); + when(pdpRequestBuilder.abacDomene()).thenReturn("foreldrepenger"); @SuppressWarnings("unused") Tilgangsbeslutning permit = pep.vurderTilgang(attributter); - verify(pdpKlientMock).forespørTilgang(any(PdpRequest.class)); + verify(pdpKlientMock).forespørTilgang(eq(attributter), any(String.class), any(AppRessursData.class)); + } + + private BeskyttetRessursAttributter lagBeskyttetRessursAttributter() { + return BeskyttetRessursAttributter.builder() + .medUserId(tokenProvider.getUid()) + .medToken(Token.withOidcToken(BeskyttetRessursInterceptorTest.DUMMY_OPENID_TOKEN)) + .medResourceType(ForeldrepengerAttributter.RESOURCE_TYPE_FP_FAGSAK) + .medActionType(ActionType.READ) + .medPepId("local-app") + .medServicePath("/metode") + .medServiceType(ServiceType.REST) + .medDataAttributter(AbacDataAttributter.opprett()) + .build(); + } + + private BeskyttetRessursAttributter lagBeskyttetRessursAttributterPip() { + return BeskyttetRessursAttributter.builder() + .medUserId(tokenProvider.getUid()) + .medToken(Token.withOidcToken(BeskyttetRessursInterceptorTest.DUMMY_OPENID_TOKEN)) + .medResourceType(RESOURCE_TYPE_INTERNAL_PIP) + .medActionType(ActionType.READ) + .medPepId("local-app") + .medServicePath("/metode") + .medServiceType(ServiceType.REST) + .medDataAttributter(AbacDataAttributter.opprett()) + .build(); } } diff --git a/felles/abac/src/test/java/no/nav/vedtak/sikkerhet/abac/PipdataTest.java b/felles/abac/src/test/java/no/nav/vedtak/sikkerhet/abac/PipdataTest.java new file mode 100644 index 000000000..58ade999c --- /dev/null +++ b/felles/abac/src/test/java/no/nav/vedtak/sikkerhet/abac/PipdataTest.java @@ -0,0 +1,59 @@ +package no.nav.vedtak.sikkerhet.abac; + +import static org.assertj.core.api.Assertions.assertThat; + +import java.util.Set; +import java.util.stream.Collectors; + +import org.junit.jupiter.api.Test; + +import no.nav.vedtak.mapper.json.DefaultJsonMapper; +import no.nav.vedtak.sikkerhet.abac.pipdata.AbacPipDto; +import no.nav.vedtak.sikkerhet.abac.pipdata.PipAktørId; +import no.nav.vedtak.sikkerhet.abac.pipdata.PipBehandlingStatus; +import no.nav.vedtak.sikkerhet.abac.pipdata.PipFagsakStatus; + +class PipdataTest { + + @Test + void roundtrip_pip() { + var pip = new AbacPipDto(Set.of(new PipAktørId("0000000000000")), PipFagsakStatus.UNDER_BEHANDLING, PipBehandlingStatus.UTREDES); + var json = DefaultJsonMapper.toJson(pip); + var roundtrip = DefaultJsonMapper.fromJson(json, AbacPipDto.class); + assertThat(roundtrip).isEqualTo(pip); + } + + @Test + void roundtrip_compatible1() { + var pip = new PseudoPip(Set.of("0000000000000", "2222222222222"), PipFagsakStatus.UNDER_BEHANDLING.name(), PipBehandlingStatus.UTREDES.name()); + var json = DefaultJsonMapper.toJson(pip); + var roundtrip = DefaultJsonMapper.fromJson(json, AbacPipDto.class); + assertThat(roundtrip.aktørIder().stream().map(PipAktørId::getVerdi).collect(Collectors.toSet())).containsAll(pip.aktørIder()); + assertThat(roundtrip.fagsakStatus().name()).isEqualTo(pip.fagsakStatus()); + assertThat(roundtrip.behandlingStatus().name()).isEqualTo(pip.behandlingStatus()); + } + + @Test + void roundtrip_compatible2() { + var pip = new AbacPipDto(Set.of(new PipAktørId("0000000000000"), new PipAktørId("2222222222222")), PipFagsakStatus.UNDER_BEHANDLING, PipBehandlingStatus.UTREDES); + var json = DefaultJsonMapper.toJson(pip); + var roundtrip = DefaultJsonMapper.fromJson(json, PseudoPip.class); + assertThat(pip.aktørIder().stream().map(PipAktørId::getVerdi).collect(Collectors.toSet())).containsAll(roundtrip.aktørIder()); + assertThat(pip.fagsakStatus().name()).isEqualTo(roundtrip.fagsakStatus()); + assertThat(pip.behandlingStatus().name()).isEqualTo(roundtrip.behandlingStatus()); + } + + @Test + void fra_kilde_sak() { + var json = """ + {"aktørIder":["0000000000000","2222222222222"],"fagsakStatus":"UNDER_BEHANDLING","behandlingStatus":"UTREDES"} + """; + var roundtrip = DefaultJsonMapper.fromJson(json, AbacPipDto.class); + assertThat(roundtrip.aktørIder().stream().map(PipAktørId::getVerdi).collect(Collectors.toSet())).containsAll(Set.of("0000000000000","2222222222222")); + assertThat(roundtrip.fagsakStatus()).isEqualTo(PipFagsakStatus.UNDER_BEHANDLING); + assertThat(roundtrip.behandlingStatus()).isEqualTo(PipBehandlingStatus.UTREDES); + } + + private static record PseudoPip(Set aktørIder, String fagsakStatus, String behandlingStatus) {} + +} diff --git a/felles/abac/src/test/java/no/nav/vedtak/sikkerhet/pdp/PdpKlientImplTest.java b/felles/abac/src/test/java/no/nav/vedtak/sikkerhet/pdp/PdpKlientImplTest.java index d3ec73b92..c5311a9a8 100644 --- a/felles/abac/src/test/java/no/nav/vedtak/sikkerhet/pdp/PdpKlientImplTest.java +++ b/felles/abac/src/test/java/no/nav/vedtak/sikkerhet/pdp/PdpKlientImplTest.java @@ -9,10 +9,11 @@ import java.io.FileNotFoundException; import java.io.IOException; import java.nio.charset.StandardCharsets; +import java.util.ArrayList; import java.util.Base64; import java.util.Collection; -import java.util.Collections; import java.util.HashSet; +import java.util.LinkedHashSet; import java.util.List; import java.util.Set; @@ -22,84 +23,104 @@ import no.nav.vedtak.exception.VLException; import no.nav.vedtak.mapper.json.DefaultJsonMapper; -import no.nav.vedtak.sikkerhet.abac.AbacIdToken; +import no.nav.vedtak.sikkerhet.abac.AbacDataAttributter; import no.nav.vedtak.sikkerhet.abac.AbacResultat; -import no.nav.vedtak.sikkerhet.abac.BeskyttetRessursActionAttributt; -import no.nav.vedtak.sikkerhet.abac.NavAbacCommonAttributter; import no.nav.vedtak.sikkerhet.abac.PdpKlient; -import no.nav.vedtak.sikkerhet.abac.PdpRequest; -import no.nav.vedtak.sikkerhet.abac.Tilgangsbeslutning; +import no.nav.vedtak.sikkerhet.abac.Token; +import no.nav.vedtak.sikkerhet.abac.beskyttet.ActionType; +import no.nav.vedtak.sikkerhet.abac.beskyttet.ServiceType; +import no.nav.vedtak.sikkerhet.abac.internal.BeskyttetRessursAttributter; +import no.nav.vedtak.sikkerhet.abac.pdp.AppRessursData; +import no.nav.vedtak.sikkerhet.abac.pipdata.PipBehandlingStatus; +import no.nav.vedtak.sikkerhet.abac.policy.ForeldrepengerAttributter; +import no.nav.vedtak.sikkerhet.oidc.config.OpenIDProvider; +import no.nav.vedtak.sikkerhet.oidc.token.OpenIDToken; +import no.nav.vedtak.sikkerhet.oidc.token.TokenString; import no.nav.vedtak.sikkerhet.pdp.xacml.Category; +import no.nav.vedtak.sikkerhet.pdp.xacml.NavFellesAttributter; import no.nav.vedtak.sikkerhet.pdp.xacml.XacmlRequest; -import no.nav.vedtak.sikkerhet.pdp.xacml.XacmlRequestBuilder; import no.nav.vedtak.sikkerhet.pdp.xacml.XacmlResponse; public class PdpKlientImplTest { - public static final String JWT_TOKEN = "eyAidHlwIjogIkpXVCIsICJraWQiOiAiU0gxSWVSU2sxT1VGSDNzd1orRXVVcTE5VHZRPSIsICJhbGciOiAiUlMyNTYiIH0.eyAiYXRfaGFzaCI6ICIyb2c1RGk5ZW9LeFhOa3VPd0dvVUdBIiwgInN1YiI6ICJzMTQyNDQzIiwgImF1ZGl0VHJhY2tpbmdJZCI6ICI1NTM0ZmQ4ZS03MmE2LTRhMWQtOWU5YS1iZmEzYThhMTljMDUtNjE2NjA2NyIsICJpc3MiOiAiaHR0cHM6Ly9pc3NvLXQuYWRlby5ubzo0NDMvaXNzby9vYXV0aDIiLCAidG9rZW5OYW1lIjogImlkX3Rva2VuIiwgImF1ZCI6ICJPSURDIiwgImNfaGFzaCI6ICJiVWYzcU5CN3dTdi0wVlN0bjhXLURnIiwgIm9yZy5mb3JnZXJvY2sub3BlbmlkY29ubmVjdC5vcHMiOiAiMTdhOGZiMzYtMGI0Ny00YzRkLWE4YWYtZWM4Nzc3Y2MyZmIyIiwgImF6cCI6ICJPSURDIiwgImF1dGhfdGltZSI6IDE0OTgwMzk5MTQsICJyZWFsbSI6ICIvIiwgImV4cCI6IDE0OTgwNDM1MTUsICJ0b2tlblR5cGUiOiAiSldUVG9rZW4iLCAiaWF0IjogMTQ5ODAzOTkxNSB9.S2DKQweQWZIfjaAT2UP9_dxrK5zqpXj8IgtjDLt5PVfLYfZqpWGaX-ckXG0GlztDVBlRK4ylmIYacTmEAUV_bRa_qWKRNxF83SlQRgHDSiE82SGv5WHOGEcAxf2w_d50XsgA2KDBCyv0bFIp9bCiKzP11uWPW0v4uIkyw2xVxMVPMCuiMUtYFh80sMDf9T4FuQcFd0LxoYcSFDEDlwCdRiF3ufw73qtMYBlNIMbTGHx-DZWkZV7CgukmCee79gwQIvGwdLrgaDrHFCJUDCbB1FFEaE3p3_BZbj0T54fCvL69aHyWm1zEd9Pys15yZdSh3oSSr4yVNIxhoF-nQ7gY-g;"; + private static final String JWT_TOKENSTRING = "eyAidHlwIjogIkpXVCIsICJraWQiOiAiU0gxSWVSU2sxT1VGSDNzd1orRXVVcTE5VHZRPSIsICJhbGciOiAiUlMyNTYiIH0.eyAiYXRfaGFzaCI6ICIyb2c1RGk5ZW9LeFhOa3VPd0dvVUdBIiwgInN1YiI6ICJzMTQyNDQzIiwgImF1ZGl0VHJhY2tpbmdJZCI6ICI1NTM0ZmQ4ZS03MmE2LTRhMWQtOWU5YS1iZmEzYThhMTljMDUtNjE2NjA2NyIsICJpc3MiOiAiaHR0cHM6Ly9pc3NvLXQuYWRlby5ubzo0NDMvaXNzby9vYXV0aDIiLCAidG9rZW5OYW1lIjogImlkX3Rva2VuIiwgImF1ZCI6ICJPSURDIiwgImNfaGFzaCI6ICJiVWYzcU5CN3dTdi0wVlN0bjhXLURnIiwgIm9yZy5mb3JnZXJvY2sub3BlbmlkY29ubmVjdC5vcHMiOiAiMTdhOGZiMzYtMGI0Ny00YzRkLWE4YWYtZWM4Nzc3Y2MyZmIyIiwgImF6cCI6ICJPSURDIiwgImF1dGhfdGltZSI6IDE0OTgwMzk5MTQsICJyZWFsbSI6ICIvIiwgImV4cCI6IDE0OTgwNDM1MTUsICJ0b2tlblR5cGUiOiAiSldUVG9rZW4iLCAiaWF0IjogMTQ5ODAzOTkxNSB9.S2DKQweQWZIfjaAT2UP9_dxrK5zqpXj8IgtjDLt5PVfLYfZqpWGaX-ckXG0GlztDVBlRK4ylmIYacTmEAUV_bRa_qWKRNxF83SlQRgHDSiE82SGv5WHOGEcAxf2w_d50XsgA2KDBCyv0bFIp9bCiKzP11uWPW0v4uIkyw2xVxMVPMCuiMUtYFh80sMDf9T4FuQcFd0LxoYcSFDEDlwCdRiF3ufw73qtMYBlNIMbTGHx-DZWkZV7CgukmCee79gwQIvGwdLrgaDrHFCJUDCbB1FFEaE3p3_BZbj0T54fCvL69aHyWm1zEd9Pys15yZdSh3oSSr4yVNIxhoF-nQ7gY-g;"; + public static final OpenIDToken JWT_TOKEN = new OpenIDToken(OpenIDProvider.STS, new TokenString(JWT_TOKENSTRING)); + public static final OpenIDToken JWT_TOKENX_TOKEN = new OpenIDToken(OpenIDProvider.TOKENX, new TokenString(JWT_TOKENSTRING)); + private static final String DOMENE = "foreldrepenger"; + private PdpKlient pdpKlient; private PdpConsumer pdpConsumerMock; - private XacmlRequestBuilderTjenesteImpl xamlRequestBuilderTjeneste; @BeforeEach public void setUp() { pdpConsumerMock = mock(PdpConsumer.class); - xamlRequestBuilderTjeneste = new XacmlRequestBuilderTjenesteImpl(); - pdpKlient = new PdpKlientImpl(pdpConsumerMock, xamlRequestBuilderTjeneste); + pdpKlient = new PdpKlientImpl(pdpConsumerMock); } @Test public void kallPdpMedSamlTokenNårIdTokenErSamlToken() throws Exception { - AbacIdToken idToken = AbacIdToken.withSamlToken("SAML"); + var idToken = Token.withSamlToken("SAML"); var responseWrapper = createResponse("xacmlresponse.json"); - ArgumentCaptor captor = ArgumentCaptor.forClass(XacmlRequestBuilder.class); + var captor = ArgumentCaptor.forClass(XacmlRequest.class); when(pdpConsumerMock.evaluate(captor.capture())).thenReturn(responseWrapper); - PdpRequest pdpRequest = lagPdpRequest(); - pdpRequest.put(NavAbacCommonAttributter.RESOURCE_FELLES_PERSON_FNR, Collections.singleton("12345678900")); - pdpRequest.put(PdpKlient.ENVIRONMENT_AUTH_TOKEN, idToken); - pdpKlient.forespørTilgang(pdpRequest); + var felles = lagBeskyttetRessursAttributter(idToken, AbacDataAttributter.opprett()); + var ressurs = AppRessursData.builder().leggTilFødselsnummer("12345678900").build(); + pdpKlient.forespørTilgang(felles, DOMENE, ressurs); - assertThat(captor.getValue().build().toString().contains(NavAbacCommonAttributter.ENVIRONMENT_FELLES_SAML_TOKEN)).isTrue(); + assertThat(captor.getValue().toString()).contains(NavFellesAttributter.ENVIRONMENT_FELLES_SAML_TOKEN); } @Test public void kallPdpUtenFnrResourceHvisPersonlisteErTom() throws FileNotFoundException { - AbacIdToken idToken = AbacIdToken.withOidcToken(JWT_TOKEN); + var idToken = Token.withOidcToken(JWT_TOKEN); var responseWrapper = createResponse("xacmlresponse.json"); - ArgumentCaptor captor = ArgumentCaptor.forClass(XacmlRequestBuilder.class); + var captor = ArgumentCaptor.forClass(XacmlRequest.class); when(pdpConsumerMock.evaluate(captor.capture())).thenReturn(responseWrapper); - PdpRequest pdpRequest = lagPdpRequest(); - pdpRequest.put(NavAbacCommonAttributter.RESOURCE_FELLES_PERSON_FNR, Collections.emptySet()); - pdpRequest.put(PdpKlient.ENVIRONMENT_AUTH_TOKEN, idToken); - pdpKlient.forespørTilgang(pdpRequest); + var felles = lagBeskyttetRessursAttributter(idToken, AbacDataAttributter.opprett()); + var ressurs = AppRessursData.builder().build(); + pdpKlient.forespørTilgang(felles, DOMENE, ressurs); - assertThat(captor.getValue().build().toString().contains(NavAbacCommonAttributter.RESOURCE_FELLES_PERSON_FNR)).isFalse(); + assertThat(captor.getValue().toString()).doesNotContain(NavFellesAttributter.RESOURCE_FELLES_PERSON_FNR); } @Test public void kallPdpMedJwtTokenBodyNårIdTokenErJwtToken() throws Exception { - AbacIdToken idToken = AbacIdToken.withOidcToken(JWT_TOKEN); + var idToken = Token.withOidcToken(JWT_TOKEN); + var responseWrapper = createResponse("xacmlresponse.json"); + var captor = ArgumentCaptor.forClass(XacmlRequest.class); + + when(pdpConsumerMock.evaluate(captor.capture())).thenReturn(responseWrapper); + + var felles = lagBeskyttetRessursAttributter(idToken, AbacDataAttributter.opprett()); + var ressurs = AppRessursData.builder().leggTilFødselsnummer("12345678900").build(); + pdpKlient.forespørTilgang(felles, DOMENE, ressurs); + + assertThat(captor.getValue().toString()).contains(NavFellesAttributter.ENVIRONMENT_FELLES_OIDC_TOKEN_BODY); + } + + @Test + public void kallPdpMedJwtTokenBodyNårIdTokenErTokeXToken() throws Exception { + var idToken = Token.withOidcToken(JWT_TOKENX_TOKEN); var responseWrapper = createResponse("xacmlresponse.json"); - ArgumentCaptor captor = ArgumentCaptor.forClass(XacmlRequestBuilder.class); + var captor = ArgumentCaptor.forClass(XacmlRequest.class); when(pdpConsumerMock.evaluate(captor.capture())).thenReturn(responseWrapper); - PdpRequest pdpRequest = lagPdpRequest(); - pdpRequest.put(NavAbacCommonAttributter.RESOURCE_FELLES_PERSON_FNR, Collections.singleton("12345678900")); - pdpRequest.put(PdpKlient.ENVIRONMENT_AUTH_TOKEN, idToken); - pdpKlient.forespørTilgang(pdpRequest); + var felles = lagBeskyttetRessursAttributter(idToken, AbacDataAttributter.opprett()); + var ressurs = AppRessursData.builder().leggTilFødselsnummer("12345678900").build(); + pdpKlient.forespørTilgang(felles, DOMENE, ressurs); - assertThat(captor.getValue().build().toString().contains(NavAbacCommonAttributter.ENVIRONMENT_FELLES_OIDC_TOKEN_BODY)).isTrue(); + assertThat(captor.getValue().toString()).contains(NavFellesAttributter.ENVIRONMENT_FELLES_TOKENX_TOKEN_BODY); } @Test - public void kallPdpMedFlereAttributtSettNårPersonlisteStørreEnn1() throws FileNotFoundException { - AbacIdToken idToken = AbacIdToken.withOidcToken(JWT_TOKEN); + public void kallPdpMedFlereAttributtSettNårPersonlisteStørreEnn1() { + var idToken = Token.withOidcToken(JWT_TOKEN); var responseWrapper = createResponse("xacml3response.json"); - ArgumentCaptor captor = ArgumentCaptor.forClass(XacmlRequestBuilder.class); + var captor = ArgumentCaptor.forClass(XacmlRequest.class); when(pdpConsumerMock.evaluate(captor.capture())).thenReturn(responseWrapper); Set personnr = new HashSet<>(); @@ -107,12 +128,11 @@ public void kallPdpUtenFnrResourceHvisPersonlisteErTom() throws FileNotFoundExce personnr.add("00987654321"); personnr.add("15151515151"); - PdpRequest pdpRequest = lagPdpRequest(); - pdpRequest.put(NavAbacCommonAttributter.RESOURCE_FELLES_PERSON_FNR, personnr); - pdpRequest.put(PdpKlient.ENVIRONMENT_AUTH_TOKEN, idToken); - pdpKlient.forespørTilgang(pdpRequest); + var felles = lagBeskyttetRessursAttributter(idToken, AbacDataAttributter.opprett()); + var ressurs = AppRessursData.builder().leggTilFødselsnumre(personnr).build(); + pdpKlient.forespørTilgang(felles, DOMENE, ressurs); - String xacmlRequestString = captor.getValue().build().toString(); + String xacmlRequestString = captor.getValue().toString(); assertThat(xacmlRequestString.contains("12345678900")).isTrue(); assertThat(xacmlRequestString.contains("00987654321")).isTrue(); @@ -120,10 +140,10 @@ public void kallPdpUtenFnrResourceHvisPersonlisteErTom() throws FileNotFoundExce } @Test - public void kallPdpMedFlereAttributtSettNårPersonlisteStørreEnn2() throws FileNotFoundException { - AbacIdToken idToken = AbacIdToken.withOidcToken(JWT_TOKEN); + public void kallPdpMedFlereAttributtSettNårPersonlisteStørreEnn2() { + var idToken = Token.withOidcToken(JWT_TOKEN); var responseWrapper = createResponse("xacmlresponse-array.json"); - ArgumentCaptor captor = ArgumentCaptor.forClass(XacmlRequestBuilder.class); + var captor = ArgumentCaptor.forClass(XacmlRequest.class); when(pdpConsumerMock.evaluate(captor.capture())).thenReturn(responseWrapper); Set personnr = new HashSet<>(); @@ -131,12 +151,11 @@ public void kallPdpUtenFnrResourceHvisPersonlisteErTom() throws FileNotFoundExce personnr.add("00987654321"); personnr.add("15151515151"); - PdpRequest pdpRequest = lagPdpRequest(); - pdpRequest.put(NavAbacCommonAttributter.RESOURCE_FELLES_PERSON_FNR, personnr); - pdpRequest.put(PdpKlient.ENVIRONMENT_AUTH_TOKEN, idToken); - pdpKlient.forespørTilgang(pdpRequest); + var felles = lagBeskyttetRessursAttributter(idToken, AbacDataAttributter.opprett()); + var ressurs = AppRessursData.builder().leggTilFødselsnumre(personnr).build(); + pdpKlient.forespørTilgang(felles, DOMENE, ressurs); - String xacmlRequestString = captor.getValue().build().toString(); + String xacmlRequestString = captor.getValue().toString(); assertThat(xacmlRequestString.contains("12345678900")).isTrue(); assertThat(xacmlRequestString.contains("00987654321")).isTrue(); @@ -144,31 +163,30 @@ public void kallPdpUtenFnrResourceHvisPersonlisteErTom() throws FileNotFoundExce } @Test - public void sporingsloggListeSkalHaSammeRekkefølgePåidenterSomXacmlRequest() throws FileNotFoundException { - AbacIdToken idToken = AbacIdToken.withOidcToken(JWT_TOKEN); + public void sporingsloggListeSkalHaSammeRekkefølgePåidenterSomXacmlRequest() { + var idToken = Token.withOidcToken(JWT_TOKEN); var responseWrapper = createResponse("xacml3response.json"); - ArgumentCaptor captor = ArgumentCaptor.forClass(XacmlRequestBuilder.class); + var captor = ArgumentCaptor.forClass(XacmlRequest.class); when(pdpConsumerMock.evaluate(captor.capture())).thenReturn(responseWrapper); - Set personnr = new HashSet<>(); + Set personnr = new LinkedHashSet<>(); personnr.add("12345678900"); personnr.add("00987654321"); personnr.add("15151515151"); - PdpRequest pdpRequest = lagPdpRequest(); - pdpRequest.put(NavAbacCommonAttributter.RESOURCE_FELLES_PERSON_FNR, personnr); - pdpRequest.put(PdpKlient.ENVIRONMENT_AUTH_TOKEN, idToken); - pdpKlient.forespørTilgang(pdpRequest); + var felles = lagBeskyttetRessursAttributter(idToken, AbacDataAttributter.opprett()); + var ressurs = AppRessursData.builder().leggTilFødselsnumre(personnr).medBehandlingStatus(PipBehandlingStatus.UTREDES).build(); + pdpKlient.forespørTilgang(felles, DOMENE, ressurs); - var xacmlRequest = captor.getValue().build(); + var xacmlRequest = captor.getValue(); var resourceArray = xacmlRequest.request().get(Category.Resource); var personArray = resourceArray.stream() .map(XacmlRequest.Attributes::attribute) .flatMap(Collection::stream) - .filter(a -> NavAbacCommonAttributter.RESOURCE_FELLES_PERSON_FNR.equals(a.attributeId())) + .filter(a -> NavFellesAttributter.RESOURCE_FELLES_PERSON_FNR.equals(a.attributeId())) .toList(); - List personer = pdpRequest.getListOfString(NavAbacCommonAttributter.RESOURCE_FELLES_PERSON_FNR); + var personer = new ArrayList<>(ressurs.getFødselsnumre()); for (int i = 0; i < personer.size(); i++) { assertThat(personArray.get(i).value().toString()).contains(personer.get(i)); @@ -177,21 +195,18 @@ public void kallPdpUtenFnrResourceHvisPersonlisteErTom() throws FileNotFoundExce @Test public void skal_base64_encode_saml_token() throws Exception { - AbacIdToken idToken = AbacIdToken.withSamlToken(""); + var idToken = Token.withSamlToken(""); @SuppressWarnings("unused") var responseWrapper = createResponse("xacmlresponse_multiple_obligation.json"); - PdpRequest pdpRequest = lagPdpRequest(); - pdpRequest.put(NavAbacCommonAttributter.RESOURCE_FELLES_PERSON_FNR, Collections.singleton("12345678900")); - pdpRequest.put(PdpKlient.ENVIRONMENT_AUTH_TOKEN, idToken); + var felles = lagBeskyttetRessursAttributter(idToken, AbacDataAttributter.opprett()); + var ressurs = AppRessursData.builder().leggTilFødselsnummer("12345678900").build(); - XacmlRequestBuilder builder = xamlRequestBuilderTjeneste.lagXacmlRequestBuilder(pdpRequest); - ((PdpKlientImpl) pdpKlient).leggPåTokenInformasjon(builder, pdpRequest); - var jsonRequest = builder.build(); + var jsonRequest = XacmlRequestMapper.lagXacmlRequest(felles, DOMENE, ressurs); var request = jsonRequest.request(); var environment = request.get(Category.Environment); - assertHasAttribute(environment, NavAbacCommonAttributter.ENVIRONMENT_FELLES_SAML_TOKEN, + assertHasAttribute(environment, NavFellesAttributter.ENVIRONMENT_FELLES_SAML_TOKEN, Base64.getEncoder().encodeToString("".getBytes(StandardCharsets.UTF_8))); environment.get(0).attribute().get(0).attributeId(); @@ -199,20 +214,20 @@ public void skal_base64_encode_saml_token() throws Exception { @Test public void skal_bare_ta_med_deny_advice() throws Exception { - AbacIdToken idToken = AbacIdToken.withSamlToken(""); + var idToken = Token.withSamlToken(""); var responseWrapper = createResponse("xacmlresponse_1deny_1permit.json"); - ArgumentCaptor captor = ArgumentCaptor.forClass(XacmlRequestBuilder.class); + var captor = ArgumentCaptor.forClass(XacmlRequest.class); when(pdpConsumerMock.evaluate(captor.capture())).thenReturn(responseWrapper); Set personnr = new HashSet<>(); personnr.add("12345678900"); personnr.add("07078515206"); - PdpRequest pdpRequest = lagPdpRequest(); - pdpRequest.put(NavAbacCommonAttributter.RESOURCE_FELLES_PERSON_FNR, personnr); - pdpRequest.put(PdpKlient.ENVIRONMENT_AUTH_TOKEN, idToken); - Tilgangsbeslutning resultat = pdpKlient.forespørTilgang(pdpRequest); + var felles = lagBeskyttetRessursAttributter(idToken, AbacDataAttributter.opprett()); + var ressurs = AppRessursData.builder().leggTilFødselsnumre(personnr).build(); + var resultat = pdpKlient.forespørTilgang(felles, DOMENE, ressurs); + assertThat(resultat.beslutningKode()).isEqualTo(AbacResultat.AVSLÅTT_EGEN_ANSATT); } @@ -232,16 +247,15 @@ private void assertHasAttribute(List attributes, String @Test public void skalFeileVedUkjentObligation() throws Exception { - AbacIdToken idToken = AbacIdToken.withSamlToken("SAML"); + var idToken = Token.withSamlToken("SAML"); var responseWrapper = createResponse("xacmlresponse_multiple_obligation.json"); - when(pdpConsumerMock.evaluate(any(XacmlRequestBuilder.class))).thenReturn(responseWrapper); + when(pdpConsumerMock.evaluate(any(XacmlRequest.class))).thenReturn(responseWrapper); String feilKode = ""; try { - PdpRequest pdpRequest = lagPdpRequest(); - pdpRequest.put(NavAbacCommonAttributter.RESOURCE_FELLES_PERSON_FNR, Collections.singleton("12345678900")); - pdpRequest.put(PdpKlient.ENVIRONMENT_AUTH_TOKEN, idToken); - pdpKlient.forespørTilgang(pdpRequest); + var felles = lagBeskyttetRessursAttributter(idToken, AbacDataAttributter.opprett()); + var ressurs = AppRessursData.builder().leggTilFødselsnumre(Set.of("12345678900")).build(); + pdpKlient.forespørTilgang(felles, DOMENE, ressurs); } catch (VLException e) { feilKode = e.getKode(); } @@ -251,9 +265,9 @@ public void skalFeileVedUkjentObligation() throws Exception { @Test public void skal_håndtere_blanding_av_fnr_og_aktør_id() throws FileNotFoundException { - AbacIdToken idToken = AbacIdToken.withOidcToken(JWT_TOKEN); + var idToken = Token.withOidcToken(JWT_TOKEN); var responseWrapper = createResponse("xacml3response.json"); - ArgumentCaptor captor = ArgumentCaptor.forClass(XacmlRequestBuilder.class); + var captor = ArgumentCaptor.forClass(XacmlRequest.class); when(pdpConsumerMock.evaluate(captor.capture())).thenReturn(responseWrapper); Set personnr = new HashSet<>(); @@ -262,13 +276,11 @@ public void skalFeileVedUkjentObligation() throws Exception { aktørId.add("11111"); aktørId.add("22222"); - PdpRequest pdpRequest = lagPdpRequest(); - pdpRequest.put(NavAbacCommonAttributter.RESOURCE_FELLES_PERSON_FNR, personnr); - pdpRequest.put(NavAbacCommonAttributter.RESOURCE_FELLES_PERSON_AKTOERID_RESOURCE, aktørId); - pdpRequest.put(PdpKlient.ENVIRONMENT_AUTH_TOKEN, idToken); - pdpKlient.forespørTilgang(pdpRequest); + var felles = lagBeskyttetRessursAttributter(idToken, AbacDataAttributter.opprett()); + var ressurs = AppRessursData.builder().leggTilFødselsnumre(personnr).leggTilAktørIdSet(aktørId).build(); + pdpKlient.forespørTilgang(felles, DOMENE, ressurs); - String xacmlRequestString = DefaultJsonMapper.toJson(captor.getValue().build()); + String xacmlRequestString = DefaultJsonMapper.toJson(captor.getValue()); assertThat(xacmlRequestString.contains("{\"AttributeId\":\"no.nav.abac.attributter.resource.felles.person.fnr\",\"Value\":\"12345678900\"}")) .isTrue(); @@ -278,16 +290,21 @@ public void skalFeileVedUkjentObligation() throws Exception { .contains("{\"AttributeId\":\"no.nav.abac.attributter.resource.felles.person.aktoerId_resource\",\"Value\":\"22222\"}")).isTrue(); } - private PdpRequest lagPdpRequest() { - PdpRequest request = new PdpRequest(); - request.put(NavAbacCommonAttributter.RESOURCE_FELLES_DOMENE, "foreldrepenger"); - request.put(NavAbacCommonAttributter.XACML10_ACTION_ACTION_ID, BeskyttetRessursActionAttributt.READ.getEksternKode()); - request.put(NavAbacCommonAttributter.RESOURCE_FELLES_RESOURCE_TYPE, "no.nav.abac.attributter.foreldrepenger.fagsak"); - return request; + private BeskyttetRessursAttributter lagBeskyttetRessursAttributter(Token token, AbacDataAttributter dataAttributter) { + return BeskyttetRessursAttributter.builder() + .medUserId("IDENT") + .medToken(token) + .medResourceType(ForeldrepengerAttributter.RESOURCE_TYPE_FP_FAGSAK) + .medActionType(ActionType.READ) + .medPepId("local-app") + .medServicePath("/metode") + .medServiceType(Token.TokenType.SAML.equals(token.getTokenType()) ? ServiceType.WEBSERVICE : ServiceType.REST) + .medDataAttributter(dataAttributter) + .build(); } @SuppressWarnings("resource") - private XacmlResponse createResponse(String jsonFile) throws FileNotFoundException { + private XacmlResponse createResponse(String jsonFile) { File file = new File(getClass().getClassLoader().getResource(jsonFile).getFile()); try { return DefaultJsonMapper.getObjectMapper().readValue(file, XacmlResponse.class); @@ -295,22 +312,24 @@ private XacmlResponse createResponse(String jsonFile) throws FileNotFoundExcepti // } return null; -/* - - JsonReader reader = Json.createReader(new FileReader(file)); - JsonObject jo = (JsonObject) reader.read(); - return new XacmlResponseWrapper(jo); */ } @Test - public void lese_request() throws IOException { + public void lese_sammenligne_request() throws IOException { File file = new File(getClass().getClassLoader().getResource("request.json").getFile()); var target = DefaultJsonMapper.getObjectMapper().readValue(file, XacmlRequest.class); - System.out.println(target); - File file2 = new File(getClass().getClassLoader().getResource("request1.json").getFile()); - var target2 = DefaultJsonMapper.getObjectMapper().readValue(file, XacmlRequest.class); - System.out.println(target2); + var felles = lagBeskyttetRessursAttributter(Token.withOidcToken(JWT_TOKEN), AbacDataAttributter.opprett()); + var ressurs = AppRessursData.builder() + .leggTilAktørId("11111") + .leggTilFødselsnummer("12345678900") + .build(); + var request = XacmlRequestMapper.lagXacmlRequest(felles, DOMENE, ressurs); + + assertThat(request.request().get(Category.Action)).isEqualTo(target.request().get(Category.Action)); + assertThat(request.request().get(Category.Environment)).isEqualTo(target.request().get(Category.Environment)); + assertThat(request.request().get(Category.Resource)).isEqualTo(target.request().get(Category.Resource)); + } } diff --git a/felles/abac/src/test/java/no/nav/vedtak/sikkerhet/pdp/PdpKlientNyImplTest.java b/felles/abac/src/test/java/no/nav/vedtak/sikkerhet/pdp/PdpKlientNyImplTest.java deleted file mode 100644 index 636108b23..000000000 --- a/felles/abac/src/test/java/no/nav/vedtak/sikkerhet/pdp/PdpKlientNyImplTest.java +++ /dev/null @@ -1,337 +0,0 @@ -package no.nav.vedtak.sikkerhet.pdp; - -import static org.assertj.core.api.Assertions.assertThat; -import static org.mockito.ArgumentMatchers.any; -import static org.mockito.Mockito.mock; -import static org.mockito.Mockito.when; - -import java.io.File; -import java.io.FileNotFoundException; -import java.io.IOException; -import java.nio.charset.StandardCharsets; -import java.util.ArrayList; -import java.util.Base64; -import java.util.Collection; -import java.util.HashSet; -import java.util.LinkedHashSet; -import java.util.List; -import java.util.Set; - -import org.junit.jupiter.api.BeforeEach; -import org.junit.jupiter.api.Test; -import org.mockito.ArgumentCaptor; - -import no.nav.vedtak.exception.VLException; -import no.nav.vedtak.mapper.json.DefaultJsonMapper; -import no.nav.vedtak.sikkerhet.abac.AbacDataAttributter; -import no.nav.vedtak.sikkerhet.abac.AbacResultat; -import no.nav.vedtak.sikkerhet.abac.PdpKlient; -import no.nav.vedtak.sikkerhet.abac.Token; -import no.nav.vedtak.sikkerhet.abac.beskyttet.ActionType; -import no.nav.vedtak.sikkerhet.abac.beskyttet.ServiceType; -import no.nav.vedtak.sikkerhet.abac.internal.BeskyttetRessursAttributter; -import no.nav.vedtak.sikkerhet.abac.pdp.AppRessursData; -import no.nav.vedtak.sikkerhet.abac.pdp.BehandlingStatus; -import no.nav.vedtak.sikkerhet.abac.policy.ForeldrepengerAttributter; -import no.nav.vedtak.sikkerhet.oidc.config.OpenIDProvider; -import no.nav.vedtak.sikkerhet.oidc.token.OpenIDToken; -import no.nav.vedtak.sikkerhet.oidc.token.TokenString; -import no.nav.vedtak.sikkerhet.pdp.xacml.Category; -import no.nav.vedtak.sikkerhet.pdp.xacml.NavFellesAttributter; -import no.nav.vedtak.sikkerhet.pdp.xacml.XacmlRequest; -import no.nav.vedtak.sikkerhet.pdp.xacml.XacmlResponse; - -public class PdpKlientNyImplTest { - - private static final String JWT_TOKENSTRING = "eyAidHlwIjogIkpXVCIsICJraWQiOiAiU0gxSWVSU2sxT1VGSDNzd1orRXVVcTE5VHZRPSIsICJhbGciOiAiUlMyNTYiIH0.eyAiYXRfaGFzaCI6ICIyb2c1RGk5ZW9LeFhOa3VPd0dvVUdBIiwgInN1YiI6ICJzMTQyNDQzIiwgImF1ZGl0VHJhY2tpbmdJZCI6ICI1NTM0ZmQ4ZS03MmE2LTRhMWQtOWU5YS1iZmEzYThhMTljMDUtNjE2NjA2NyIsICJpc3MiOiAiaHR0cHM6Ly9pc3NvLXQuYWRlby5ubzo0NDMvaXNzby9vYXV0aDIiLCAidG9rZW5OYW1lIjogImlkX3Rva2VuIiwgImF1ZCI6ICJPSURDIiwgImNfaGFzaCI6ICJiVWYzcU5CN3dTdi0wVlN0bjhXLURnIiwgIm9yZy5mb3JnZXJvY2sub3BlbmlkY29ubmVjdC5vcHMiOiAiMTdhOGZiMzYtMGI0Ny00YzRkLWE4YWYtZWM4Nzc3Y2MyZmIyIiwgImF6cCI6ICJPSURDIiwgImF1dGhfdGltZSI6IDE0OTgwMzk5MTQsICJyZWFsbSI6ICIvIiwgImV4cCI6IDE0OTgwNDM1MTUsICJ0b2tlblR5cGUiOiAiSldUVG9rZW4iLCAiaWF0IjogMTQ5ODAzOTkxNSB9.S2DKQweQWZIfjaAT2UP9_dxrK5zqpXj8IgtjDLt5PVfLYfZqpWGaX-ckXG0GlztDVBlRK4ylmIYacTmEAUV_bRa_qWKRNxF83SlQRgHDSiE82SGv5WHOGEcAxf2w_d50XsgA2KDBCyv0bFIp9bCiKzP11uWPW0v4uIkyw2xVxMVPMCuiMUtYFh80sMDf9T4FuQcFd0LxoYcSFDEDlwCdRiF3ufw73qtMYBlNIMbTGHx-DZWkZV7CgukmCee79gwQIvGwdLrgaDrHFCJUDCbB1FFEaE3p3_BZbj0T54fCvL69aHyWm1zEd9Pys15yZdSh3oSSr4yVNIxhoF-nQ7gY-g;"; - public static final OpenIDToken JWT_TOKEN = new OpenIDToken(OpenIDProvider.STS, new TokenString(JWT_TOKENSTRING)); - public static final OpenIDToken JWT_TOKENX_TOKEN = new OpenIDToken(OpenIDProvider.TOKENX, new TokenString(JWT_TOKENSTRING)); - private static final String DOMENE = "foreldrepenger"; - - private PdpKlient pdpKlient; - private PdpConsumer pdpConsumerMock; - private XacmlRequestBuilderTjenesteImpl xamlRequestBuilderTjeneste; - - @BeforeEach - public void setUp() { - pdpConsumerMock = mock(PdpConsumer.class); - xamlRequestBuilderTjeneste = new XacmlRequestBuilderTjenesteImpl(); - pdpKlient = new PdpKlientImpl(pdpConsumerMock, xamlRequestBuilderTjeneste); - } - - @Test - public void kallPdpMedSamlTokenNårIdTokenErSamlToken() throws Exception { - var idToken = Token.withSamlToken("SAML"); - var responseWrapper = createResponse("xacmlresponse.json"); - var captor = ArgumentCaptor.forClass(XacmlRequest.class); - - when(pdpConsumerMock.evaluate(captor.capture())).thenReturn(responseWrapper); - var felles = lagBeskyttetRessursAttributter(idToken, AbacDataAttributter.opprett()); - var ressurs = AppRessursData.builder().leggTilFødselsnummer("12345678900").build(); - pdpKlient.forespørTilgang(felles, DOMENE, ressurs); - - assertThat(captor.getValue().toString()).contains(NavFellesAttributter.ENVIRONMENT_FELLES_SAML_TOKEN); - } - - @Test - public void kallPdpUtenFnrResourceHvisPersonlisteErTom() throws FileNotFoundException { - var idToken = Token.withOidcToken(JWT_TOKEN); - var responseWrapper = createResponse("xacmlresponse.json"); - var captor = ArgumentCaptor.forClass(XacmlRequest.class); - - when(pdpConsumerMock.evaluate(captor.capture())).thenReturn(responseWrapper); - - var felles = lagBeskyttetRessursAttributter(idToken, AbacDataAttributter.opprett()); - var ressurs = AppRessursData.builder().build(); - pdpKlient.forespørTilgang(felles, DOMENE, ressurs); - - assertThat(captor.getValue().toString()).doesNotContain(NavFellesAttributter.RESOURCE_FELLES_PERSON_FNR); - } - - @Test - public void kallPdpMedJwtTokenBodyNårIdTokenErJwtToken() throws Exception { - var idToken = Token.withOidcToken(JWT_TOKEN); - var responseWrapper = createResponse("xacmlresponse.json"); - var captor = ArgumentCaptor.forClass(XacmlRequest.class); - - when(pdpConsumerMock.evaluate(captor.capture())).thenReturn(responseWrapper); - - var felles = lagBeskyttetRessursAttributter(idToken, AbacDataAttributter.opprett()); - var ressurs = AppRessursData.builder().leggTilFødselsnummer("12345678900").build(); - pdpKlient.forespørTilgang(felles, DOMENE, ressurs); - - assertThat(captor.getValue().toString()).contains(NavFellesAttributter.ENVIRONMENT_FELLES_OIDC_TOKEN_BODY); - } - - @Test - public void kallPdpMedJwtTokenBodyNårIdTokenErTokeXToken() throws Exception { - var idToken = Token.withOidcToken(JWT_TOKENX_TOKEN); - var responseWrapper = createResponse("xacmlresponse.json"); - var captor = ArgumentCaptor.forClass(XacmlRequest.class); - - when(pdpConsumerMock.evaluate(captor.capture())).thenReturn(responseWrapper); - - var felles = lagBeskyttetRessursAttributter(idToken, AbacDataAttributter.opprett()); - var ressurs = AppRessursData.builder().leggTilFødselsnummer("12345678900").build(); - pdpKlient.forespørTilgang(felles, DOMENE, ressurs); - - assertThat(captor.getValue().toString()).contains(NavFellesAttributter.ENVIRONMENT_FELLES_TOKENX_TOKEN_BODY); - } - - @Test - public void kallPdpMedFlereAttributtSettNårPersonlisteStørreEnn1() { - var idToken = Token.withOidcToken(JWT_TOKEN); - var responseWrapper = createResponse("xacml3response.json"); - var captor = ArgumentCaptor.forClass(XacmlRequest.class); - - when(pdpConsumerMock.evaluate(captor.capture())).thenReturn(responseWrapper); - Set personnr = new HashSet<>(); - personnr.add("12345678900"); - personnr.add("00987654321"); - personnr.add("15151515151"); - - var felles = lagBeskyttetRessursAttributter(idToken, AbacDataAttributter.opprett()); - var ressurs = AppRessursData.builder().leggTilFødselsnumre(personnr).build(); - pdpKlient.forespørTilgang(felles, DOMENE, ressurs); - - String xacmlRequestString = captor.getValue().toString(); - - assertThat(xacmlRequestString.contains("12345678900")).isTrue(); - assertThat(xacmlRequestString.contains("00987654321")).isTrue(); - assertThat(xacmlRequestString.contains("15151515151")).isTrue(); - } - - @Test - public void kallPdpMedFlereAttributtSettNårPersonlisteStørreEnn2() { - var idToken = Token.withOidcToken(JWT_TOKEN); - var responseWrapper = createResponse("xacmlresponse-array.json"); - var captor = ArgumentCaptor.forClass(XacmlRequest.class); - - when(pdpConsumerMock.evaluate(captor.capture())).thenReturn(responseWrapper); - Set personnr = new HashSet<>(); - personnr.add("12345678900"); - personnr.add("00987654321"); - personnr.add("15151515151"); - - var felles = lagBeskyttetRessursAttributter(idToken, AbacDataAttributter.opprett()); - var ressurs = AppRessursData.builder().leggTilFødselsnumre(personnr).build(); - pdpKlient.forespørTilgang(felles, DOMENE, ressurs); - - String xacmlRequestString = captor.getValue().toString(); - - assertThat(xacmlRequestString.contains("12345678900")).isTrue(); - assertThat(xacmlRequestString.contains("00987654321")).isTrue(); - assertThat(xacmlRequestString.contains("15151515151")).isTrue(); - } - - @Test - public void sporingsloggListeSkalHaSammeRekkefølgePåidenterSomXacmlRequest() { - var idToken = Token.withOidcToken(JWT_TOKEN); - var responseWrapper = createResponse("xacml3response.json"); - var captor = ArgumentCaptor.forClass(XacmlRequest.class); - - when(pdpConsumerMock.evaluate(captor.capture())).thenReturn(responseWrapper); - Set personnr = new LinkedHashSet<>(); - personnr.add("12345678900"); - personnr.add("00987654321"); - personnr.add("15151515151"); - - var felles = lagBeskyttetRessursAttributter(idToken, AbacDataAttributter.opprett()); - var ressurs = AppRessursData.builder().leggTilFødselsnumre(personnr).medBehandlingStatus(BehandlingStatus.UTREDES).build(); - pdpKlient.forespørTilgang(felles, DOMENE, ressurs); - - var xacmlRequest = captor.getValue(); - var resourceArray = xacmlRequest.request().get(Category.Resource); - var personArray = resourceArray.stream() - .map(XacmlRequest.Attributes::attribute) - .flatMap(Collection::stream) - .filter(a -> NavFellesAttributter.RESOURCE_FELLES_PERSON_FNR.equals(a.attributeId())) - .toList(); - - var personer = new ArrayList<>(ressurs.getFødselsnumre()); - - for (int i = 0; i < personer.size(); i++) { - assertThat(personArray.get(i).value().toString()).contains(personer.get(i)); - } - } - - @Test - public void skal_base64_encode_saml_token() throws Exception { - var idToken = Token.withSamlToken(""); - @SuppressWarnings("unused") - var responseWrapper = createResponse("xacmlresponse_multiple_obligation.json"); - - var felles = lagBeskyttetRessursAttributter(idToken, AbacDataAttributter.opprett()); - var ressurs = AppRessursData.builder().leggTilFødselsnummer("12345678900").build(); - - var jsonRequest = XacmlRequestMapper.lagXacmlRequest(felles, DOMENE, ressurs); - var request = jsonRequest.request(); - var environment = request.get(Category.Environment); - - assertHasAttribute(environment, NavFellesAttributter.ENVIRONMENT_FELLES_SAML_TOKEN, - Base64.getEncoder().encodeToString("".getBytes(StandardCharsets.UTF_8))); - - environment.get(0).attribute().get(0).attributeId(); - } - - @Test - public void skal_bare_ta_med_deny_advice() throws Exception { - var idToken = Token.withSamlToken(""); - var responseWrapper = createResponse("xacmlresponse_1deny_1permit.json"); - - var captor = ArgumentCaptor.forClass(XacmlRequest.class); - - when(pdpConsumerMock.evaluate(captor.capture())).thenReturn(responseWrapper); - Set personnr = new HashSet<>(); - personnr.add("12345678900"); - personnr.add("07078515206"); - - var felles = lagBeskyttetRessursAttributter(idToken, AbacDataAttributter.opprett()); - var ressurs = AppRessursData.builder().leggTilFødselsnumre(personnr).build(); - var resultat = pdpKlient.forespørTilgang(felles, DOMENE, ressurs); - - assertThat(resultat.beslutningKode()).isEqualTo(AbacResultat.AVSLÅTT_EGEN_ANSATT); - } - - private void assertHasAttribute(List attributes, String attributeName, String expectedValue) { - int jsize = attributes.size(); - for (int j = 0; j < jsize; j++) { - int size = attributes.get(j).attribute().size(); - for (int i = 0; i < size; i++) { - var obj = attributes.get(j).attribute().get(i); - if (obj.attributeId().equals(attributeName) && obj.value().toString().equals(expectedValue)) { - return; - } - } - } - throw new AssertionError("Fant ikke " + attributeName + "=" + expectedValue + " i " + attributes); - } - - @Test - public void skalFeileVedUkjentObligation() throws Exception { - var idToken = Token.withSamlToken("SAML"); - var responseWrapper = createResponse("xacmlresponse_multiple_obligation.json"); - - when(pdpConsumerMock.evaluate(any(XacmlRequest.class))).thenReturn(responseWrapper); - String feilKode = ""; - try { - var felles = lagBeskyttetRessursAttributter(idToken, AbacDataAttributter.opprett()); - var ressurs = AppRessursData.builder().leggTilFødselsnumre(Set.of("12345678900")).build(); - pdpKlient.forespørTilgang(felles, DOMENE, ressurs); - } catch (VLException e) { - feilKode = e.getKode(); - } - assertThat(feilKode).isEqualTo("F-576027"); - } - - @Test - public void skal_håndtere_blanding_av_fnr_og_aktør_id() throws FileNotFoundException { - - var idToken = Token.withOidcToken(JWT_TOKEN); - var responseWrapper = createResponse("xacml3response.json"); - var captor = ArgumentCaptor.forClass(XacmlRequest.class); - - when(pdpConsumerMock.evaluate(captor.capture())).thenReturn(responseWrapper); - Set personnr = new HashSet<>(); - personnr.add("12345678900"); - Set aktørId = new HashSet<>(); - aktørId.add("11111"); - aktørId.add("22222"); - - var felles = lagBeskyttetRessursAttributter(idToken, AbacDataAttributter.opprett()); - var ressurs = AppRessursData.builder().leggTilFødselsnumre(personnr).leggTilAktørIdSet(aktørId).build(); - pdpKlient.forespørTilgang(felles, DOMENE, ressurs); - - String xacmlRequestString = DefaultJsonMapper.toJson(captor.getValue()); - - assertThat(xacmlRequestString.contains("{\"AttributeId\":\"no.nav.abac.attributter.resource.felles.person.fnr\",\"Value\":\"12345678900\"}")) - .isTrue(); - assertThat(xacmlRequestString - .contains("{\"AttributeId\":\"no.nav.abac.attributter.resource.felles.person.aktoerId_resource\",\"Value\":\"11111\"}")).isTrue(); - assertThat(xacmlRequestString - .contains("{\"AttributeId\":\"no.nav.abac.attributter.resource.felles.person.aktoerId_resource\",\"Value\":\"22222\"}")).isTrue(); - } - - private BeskyttetRessursAttributter lagBeskyttetRessursAttributter(Token token, AbacDataAttributter dataAttributter) { - return BeskyttetRessursAttributter.builder() - .medUserId("IDENT") - .medToken(token) - .medResourceType(ForeldrepengerAttributter.RESOURCE_TYPE_FP_FAGSAK) - .medActionType(ActionType.READ) - .medPepId("local-app") - .medServicePath("/metode") - .medServiceType(Token.TokenType.SAML.equals(token.getTokenType()) ? ServiceType.WEBSERVICE : ServiceType.REST) - .medDataAttributter(dataAttributter) - .build(); - } - - @SuppressWarnings("resource") - private XacmlResponse createResponse(String jsonFile) { - File file = new File(getClass().getClassLoader().getResource(jsonFile).getFile()); - try { - return DefaultJsonMapper.getObjectMapper().readValue(file, XacmlResponse.class); - } catch (Exception e) { - // - } - return null; - } - - @Test - public void lese_sammenligne_request() throws IOException { - File file = new File(getClass().getClassLoader().getResource("request.json").getFile()); - var target = DefaultJsonMapper.getObjectMapper().readValue(file, XacmlRequest.class); - - var felles = lagBeskyttetRessursAttributter(Token.withOidcToken(JWT_TOKEN), AbacDataAttributter.opprett()); - var ressurs = AppRessursData.builder() - .leggTilAktørId("11111") - .leggTilFødselsnummer("12345678900") - .build(); - var request = XacmlRequestMapper.lagXacmlRequest(felles, DOMENE, ressurs); - - assertThat(request.request().get(Category.Action)).isEqualTo(target.request().get(Category.Action)); - assertThat(request.request().get(Category.Environment)).isEqualTo(target.request().get(Category.Environment)); - assertThat(request.request().get(Category.Resource)).isEqualTo(target.request().get(Category.Resource)); - - } - -} diff --git a/felles/abac/src/test/java/no/nav/vedtak/sikkerhet/pdp/XacmlRequestBuilderTjenesteImpl.java b/felles/abac/src/test/java/no/nav/vedtak/sikkerhet/pdp/XacmlRequestBuilderTjenesteImpl.java deleted file mode 100644 index 07fcbf3ba..000000000 --- a/felles/abac/src/test/java/no/nav/vedtak/sikkerhet/pdp/XacmlRequestBuilderTjenesteImpl.java +++ /dev/null @@ -1,112 +0,0 @@ -package no.nav.vedtak.sikkerhet.pdp; - -import static no.nav.vedtak.sikkerhet.abac.NavAbacCommonAttributter.RESOURCE_FELLES_DOMENE; -import static no.nav.vedtak.sikkerhet.abac.NavAbacCommonAttributter.RESOURCE_FELLES_PERSON_AKTOERID_RESOURCE; -import static no.nav.vedtak.sikkerhet.abac.NavAbacCommonAttributter.RESOURCE_FELLES_PERSON_FNR; -import static no.nav.vedtak.sikkerhet.abac.NavAbacCommonAttributter.RESOURCE_FELLES_RESOURCE_TYPE; -import static no.nav.vedtak.sikkerhet.abac.NavAbacCommonAttributter.SUBJECT_TYPE; -import static no.nav.vedtak.sikkerhet.abac.NavAbacCommonAttributter.XACML10_ACTION_ACTION_ID; -import static no.nav.vedtak.sikkerhet.abac.NavAbacCommonAttributter.XACML10_SUBJECT_ID; - -import java.util.ArrayList; -import java.util.List; - -import javax.enterprise.context.Dependent; - -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -import no.nav.vedtak.sikkerhet.abac.PdpRequest; -import no.nav.vedtak.sikkerhet.pdp.xacml.XacmlAttributeSet; -import no.nav.vedtak.sikkerhet.pdp.xacml.XacmlRequestBuilder; - -/** - * Eksemple {@link XacmlRequestBuilderTjeneste} for enhetstest. - */ -@Dependent -public class XacmlRequestBuilderTjenesteImpl implements XacmlRequestBuilderTjeneste { - - private static final Logger LOG = LoggerFactory.getLogger(XacmlRequestBuilderTjenesteImpl.class); - - public XacmlRequestBuilderTjenesteImpl() { - } - - @Override - public XacmlRequestBuilder lagXacmlRequestBuilder(PdpRequest pdpRequest) { - XacmlRequestBuilder xacmlBuilder = new XacmlRequestBuilder(); - - XacmlAttributeSet actionAttributeSet = new XacmlAttributeSet(); - actionAttributeSet.addAttribute(XACML10_ACTION_ACTION_ID, - pdpRequest.getString(XACML10_ACTION_ACTION_ID)); - xacmlBuilder.addActionAttributeSet(actionAttributeSet); - var identer = hentIdenter(pdpRequest, RESOURCE_FELLES_PERSON_FNR, - RESOURCE_FELLES_PERSON_AKTOERID_RESOURCE); - - if (identer.isEmpty()) { - populerResources(xacmlBuilder, pdpRequest, null); - } else { - for (var ident : identer) { - populerResources(xacmlBuilder, pdpRequest, ident); - } - } - - populerSubjects(pdpRequest, xacmlBuilder); - - return xacmlBuilder; - } - - private void populerSubjects(PdpRequest pdpRequest, XacmlRequestBuilder xacmlBuilder) { - var attrs = new XacmlAttributeSet(); - var found = false; - - if (pdpRequest.get(XACML10_SUBJECT_ID) != null) { - attrs.addAttribute(XACML10_SUBJECT_ID, pdpRequest.getString(XACML10_SUBJECT_ID)); - found = true; - } - if (pdpRequest.get(SUBJECT_TYPE) != null) { - attrs.addAttribute(SUBJECT_TYPE, pdpRequest.getString(SUBJECT_TYPE)); - found = true; - } - if (found) { - LOG.trace("Legger til subject attributter {}", attrs); - xacmlBuilder.addSubjectAttributeSet(attrs); - } - LOG.trace("Legger IKKE til suject attributter"); - } - - protected void populerResources(XacmlRequestBuilder xacmlBuilder, PdpRequest pdpRequest, Ident ident) { - var attributter = byggRessursAttributter(pdpRequest); - if (ident != null) { - attributter.addAttribute(ident.one(), ident.two()); - } - xacmlBuilder.addResourceAttributeSet(attributter); - } - - protected XacmlAttributeSet byggRessursAttributter(PdpRequest pdpRequest) { - var resourceAttributeSet = new XacmlAttributeSet(); - - resourceAttributeSet.addAttribute(RESOURCE_FELLES_DOMENE, - pdpRequest.getString(RESOURCE_FELLES_DOMENE)); - - resourceAttributeSet.addAttribute(RESOURCE_FELLES_RESOURCE_TYPE, - pdpRequest.getString(RESOURCE_FELLES_RESOURCE_TYPE)); - - return resourceAttributeSet; - } - - protected void setOptionalValueinAttributeSet(XacmlAttributeSet resourceAttributeSet, PdpRequest pdpRequest, String key) { - pdpRequest.getOptional(key).ifPresent(s -> resourceAttributeSet.addAttribute(key, s)); - } - - private static List hentIdenter(PdpRequest pdpRequest, String... identNøkler) { - List identer = new ArrayList<>(); - for (String key : identNøkler) { - identer.addAll(pdpRequest.getListOfString(key).stream().map(it -> new Ident(key, it)).toList()); - } - return identer; - } - - private record Ident(String one, String two) { - - } -}