Merge pull request #54 from navikt/dev/sikkerhetsmodul

Dev/sikkerhetsmodul

.github/workflows/api-start-stopp.yaml

@@ -21,11 +21,12 @@ env:
 jobs:
   build:
     name: Build
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
     permissions:
       contents: read
       id-token: write
       packages: write
-    runs-on: ubuntu-latest
     outputs:
       image: ${{ steps.docker-build-push.outputs.image }}
     steps:

.github/workflows/bekreftelse-api.yaml

@@ -22,11 +22,12 @@ env:
 jobs:
   build:
     name: Build
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
     permissions:
       contents: read
       id-token: write
       packages: write
-    runs-on: ubuntu-latest
     outputs:
       image: ${{ steps.docker-build-push.outputs.image }}
     steps:

.github/workflows/bekreftelse-min-side-varsler.yaml

@@ -21,11 +21,12 @@ env:
 jobs:
   build:
     name: Build
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
     permissions:
       contents: read
       id-token: write
       packages: write
-    runs-on: ubuntu-latest
     outputs:
       image: ${{ steps.docker-build-push.outputs.image }}
     steps:

.github/workflows/bekreftelse-tjeneste.yaml

@@ -22,11 +22,12 @@ env:
 jobs:
   build:
     name: Build
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
     permissions:
       contents: read
       id-token: write
       packages: write
-    runs-on: ubuntu-latest
     outputs:
       image: ${{ steps.docker-build-push.outputs.image }}
     steps:

.github/workflows/bekreftelse-utgang.yaml

@@ -22,11 +22,12 @@ env:
 jobs:
   build:
     name: Build
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
     permissions:
       contents: read
       id-token: write
       packages: write
-    runs-on: ubuntu-latest
     outputs:
       image: ${{ steps.docker-build-push.outputs.image }}
     steps:

.github/workflows/hendelselogg-backup.yaml

@@ -21,11 +21,12 @@ env:
 jobs:
   build:
     name: Build
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
     permissions:
       contents: read
       id-token: write
       packages: write
-    runs-on: ubuntu-latest
     outputs:
       image: ${{ steps.docker-build-push.outputs.image }}
     steps:

.github/workflows/hendelseprosessor.yaml

@@ -21,11 +21,12 @@ env:
 jobs:
   build:
     name: Build
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
     permissions:
       contents: read
       id-token: write
       packages: write
-    runs-on: ubuntu-latest
     outputs:
       image: ${{ steps.docker-build-push.outputs.image }}
     steps:

.github/workflows/kafka-key-generator.yaml

@@ -21,11 +21,12 @@ env:
 jobs:
   build:
     name: Build
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
     permissions:
       contents: read
       id-token: write
       packages: write
-    runs-on: ubuntu-latest
     outputs:
       image: ${{ steps.docker-build-push.outputs.image }}
     steps:

.github/workflows/utgang-formidlingsgruppe-deploy.yaml

@@ -21,11 +21,12 @@ env:
 jobs:
   build:
     name: Build
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
     permissions:
       contents: read
       id-token: write
       packages: write
-    runs-on: ubuntu-latest
     outputs:
       image: ${{ steps.docker-build-push.outputs.image }}
     steps:

.github/workflows/utgang-pdl-deploy.yaml

@@ -21,11 +21,12 @@ env:
 jobs:
   build:
     name: Build
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
     permissions:
       contents: read
       id-token: write
       packages: write
-    runs-on: ubuntu-latest
     outputs:
       image: ${{ steps.docker-build-push.outputs.image }}
     steps:

apps/api-start-stopp-perioder/build.gradle.kts

@@ -34,7 +34,7 @@ dependencies {
     implementation(libs.nav.common.tokenClient)
     implementation(libs.nav.common.auditLog)
     implementation(libs.nav.common.log)
-    implementation(libs.poao.tilgangClient)
+    implementation(libs.nav.poao.tilgangClient)
     implementation(libs.logbackClassic)
     implementation(libs.logstashLogbackEncoder)
     implementation(libs.kafka.clients)

apps/api-start-stopp-perioder/src/test/kotlin/no/nav/paw/arbeidssokerregisteret/ProducerMock.kt

@@ -6,7 +6,11 @@ import org.apache.kafka.clients.producer.Callback
 import org.apache.kafka.clients.producer.Producer
 import org.apache.kafka.clients.producer.ProducerRecord
 import org.apache.kafka.clients.producer.RecordMetadata
-import org.apache.kafka.common.*
+import org.apache.kafka.common.Metric
+import org.apache.kafka.common.MetricName
+import org.apache.kafka.common.PartitionInfo
+import org.apache.kafka.common.TopicPartition
+import org.apache.kafka.common.Uuid
 import java.time.Duration
 import java.time.Instant
 import java.util.concurrent.CompletableFuture
@@ -26,6 +30,7 @@ class ProducerMock<K, V> : Producer<K, V> {
 
     override fun beginTransaction() {}
 
+    @Deprecated(message = "Use sendOffsetsToTransaction(Map<TopicPartition, OffsetAndMetadata>, ConsumerGroupMetadata")
     override fun sendOffsetsToTransaction(
         offsets: MutableMap<TopicPartition, OffsetAndMetadata>?,
         consumerGroupId: String?

apps/bekreftelse-api/build.gradle.kts

@@ -42,7 +42,7 @@ dependencies {
     implementation(libs.nav.security.tokenValidationKtorV2)
 
     // Authorization
-    implementation(libs.poao.tilgangClient)
+    implementation(libs.nav.poao.tilgangClient)
 
     // Documentation
     implementation(libs.ktor.server.openapi)

apps/bekreftelse-tjeneste/nais/nais-dev.yaml

@@ -20,15 +20,15 @@ spec:
     - name: KAFKA_PAW_BEKREFTELSE_PAA_VEGNE_AV_TOPIC
       value: "paw.arbeidssoker-bekreftelse-paavegneav-beta-v1"
     - name: KAFKA_PUNCTUATOR_INTERVAL
-      value: "PT1M"
+      value: "PT1H"
     - name: BEKREFTELSE_MIGRERINGSTIDSPUNKT
       value: "2024-09-29T22:00:00Z"
     - name: BEKREFTELSE_INTERVAL
-      value: "PT28M"
+      value: "P1D"
     - name: BEKREFTELSE_GRACEPERIODE
-      value: "PT14M"
+      value: "PT12H"
     - name: BEKREFTELSE_TILGJENGELIG_OFFSET
-      value: "PT6M"
+      value: "PT6H"
   azure:
     application:
       enabled: true

domain/bekreftelse-paavegneav-avro-schema/build.gradle.kts

@@ -10,8 +10,8 @@ val schema by configurations.creating {
 }
 
 dependencies {
-    schema(libs.paw.schema.bekreftelse.paavegneav)
-    implementation(libs.paw.schema.bekreftelse.paavegneav)
+    schema(libs.nav.paw.schema.bekreftelse.paavegneav)
+    implementation(libs.nav.paw.schema.bekreftelse.paavegneav)
     api(libs.avro.core)
 }
 

domain/bekreftelsesmelding-avro-schema/build.gradle.kts

@@ -10,8 +10,8 @@ val schema by configurations.creating {
 }
 
 dependencies {
-    schema(libs.paw.schema.bekreftelsesmelding)
-    implementation(libs.paw.schema.bekreftelsesmelding)
+    schema(libs.nav.paw.schema.bekreftelsesmelding)
+    implementation(libs.nav.paw.schema.bekreftelsesmelding)
     api(libs.avro.core)
 }
 

domain/main-avro-schema/build.gradle.kts

@@ -10,8 +10,8 @@ val schema by configurations.creating {
 }
 
 dependencies {
-    schema(libs.paw.schema.main)
-    api(libs.paw.schema.main)
+    schema(libs.nav.paw.schema.main)
+    api(libs.nav.paw.schema.main)
     api(libs.avro.core)
 }
 

gradle/libs.versions.toml

@@ -1,6 +1,8 @@
 [versions]
 noNavSecurityVersion = "5.0.5"
+noNavSecurityMockOauth2ServerVersion = "2.1.5"
 noNavCommonVersion = "3.2024.05.23_05.46-2b29fa343e8e"
+navPoaoTilgangClientVersion = "2024.04.29_13.59-a0ddddd36ac9"
 arbeidssokerregisteretVersion = "1.9348086045.48-1"
 bekreftelseSchemaVersion = "24.10.28.13-1"
 arrowVersion = "1.2.4"
@@ -66,7 +68,6 @@ opentelemetry-ktor = { group = "io.opentelemetry.instrumentation", name = "opent
 opentelemetry-annotations = { group = "io.opentelemetry.instrumentation", name = "opentelemetry-instrumentation-annotations", version.ref = "otelInstrumentationVersion" }
 micrometerCore = { group = "io.micrometer", name = "micrometer-core", version.ref = "micrometerVersion" }
 micrometer-registryPrometheus = { group = "io.micrometer", name = "micrometer-registry-prometheus", version.ref = "micrometerVersion" }
-paw-schema-main = { group = "no.nav.paw.arbeidssokerregisteret.api", name = "main-avro-schema", version.ref = "arbeidssokerregisteretVersion" }
 kafka-clients = { group = "org.apache.kafka", name = "kafka-clients", version.ref = "orgApacheKafkaVersion" }
 kafka-streams-core = { group = "org.apache.kafka", name = "kafka-streams", version.ref = "orgApacheKafkaVersion" }
 kafka-streams-test = { group = "org.apache.kafka", name = "kafka-streams-test-utils", version.ref = "orgApacheKafkaVersion" }
@@ -76,11 +77,6 @@ avro-kafkaStreamsSerde = { group = "io.confluent", name = "kafka-streams-avro-se
 jackson-datatypeJsr310 = { group = "com.fasterxml.jackson.datatype", name = "jackson-datatype-jsr310", version.ref = "comFasterxmlJacksonVersion" }
 jackson-kotlin = { group = "com.fasterxml.jackson.module", name = "jackson-module-kotlin", version.ref = "comFasterxmlJacksonVersion" }
 jackson-core = { group = "com.fasterxml.jackson.core", name = "jackson-core", version.ref = "comFasterxmlJacksonVersion" }
-nav-common-tokenClient = { group = "no.nav.common", name = "token-client", version.ref = "noNavCommonVersion" }
-nav-common-log = { group = "no.nav.common", name = "log", version.ref = "noNavCommonVersion" }
-nav-common-auditLog = { group = "no.nav.common", name = "audit-log", version.ref = "noNavCommonVersion" }
-nav-security-tokenValidationKtorV2 = { group = "no.nav.security", name = "token-validation-ktor-v2", version.ref = "noNavSecurityVersion" }
-nav-security-tokenClientCore = { group = "no.nav.security", name = "token-client-core", version.ref = "noNavSecurityVersion" }
 graphql-client = { group = "com.expediagroup", name = "graphql-kotlin-client", version.ref = "graphqlClientVersion" }
 graphql-ktor-client = { group = "com.expediagroup", name = "graphql-kotlin-ktor-client", version.ref = "graphqlClientVersion" }
 hoplite-core = { group = "com.sksamuel.hoplite", name = "hoplite-core", version.ref = "comSksamuelHopliteVersion" }
@@ -102,9 +98,16 @@ database-postgres-driver = { group = "org.postgresql", name = "postgresql", vers
 database-flyway-core = { group = "org.flywaydb", name = "flyway-core", version.ref = "flywayVersion" }
 database-flyway-postgres = { group = "org.flywaydb", name = "flyway-database-postgresql", version.ref = "flywayVersion" }
 database-hikari-connectionPool = { group = "com.zaxxer", name = "HikariCP", version.ref = "hikariVersion" }
-poao-tilgangClient = { group = "no.nav.poao-tilgang", name = "client", version = "2024.04.29_13.59-a0ddddd36ac9" }
-paw-schema-bekreftelse-paavegneav = { group = "no.nav.paw.arbeidssokerregisteret.api", name = "bekreftelse-paavegneav-schema", version.ref = "bekreftelseSchemaVersion" }
-paw-schema-bekreftelsesmelding = { group = "no.nav.paw.arbeidssokerregisteret.api", name = "bekreftelsesmelding-schema", version.ref = "bekreftelseSchemaVersion" }
+nav-common-tokenClient = { group = "no.nav.common", name = "token-client", version.ref = "noNavCommonVersion" }
+nav-common-log = { group = "no.nav.common", name = "log", version.ref = "noNavCommonVersion" }
+nav-common-auditLog = { group = "no.nav.common", name = "audit-log", version.ref = "noNavCommonVersion" }
+nav-security-tokenClientCore = { group = "no.nav.security", name = "token-client-core", version.ref = "noNavSecurityVersion" }
+nav-security-tokenValidationKtorV2 = { group = "no.nav.security", name = "token-validation-ktor-v2", version.ref = "noNavSecurityVersion" }
+nav-security-mockOauth2Server = { group = "no.nav.security", name = "mock-oauth2-server", version.ref = "noNavSecurityMockOauth2ServerVersion" }
+nav-poao-tilgangClient = { group = "no.nav.poao-tilgang", name = "client", version.ref = "navPoaoTilgangClientVersion" }
+nav-paw-schema-main = { group = "no.nav.paw.arbeidssokerregisteret.api", name = "main-avro-schema", version.ref = "arbeidssokerregisteretVersion" }
+nav-paw-schema-bekreftelse-paavegneav = { group = "no.nav.paw.arbeidssokerregisteret.api", name = "bekreftelse-paavegneav-schema", version.ref = "bekreftelseSchemaVersion" }
+nav-paw-schema-bekreftelsesmelding = { group = "no.nav.paw.arbeidssokerregisteret.api", name = "bekreftelsesmelding-schema", version.ref = "bekreftelseSchemaVersion" }
 
 [bundles]
 ktorServerWithNettyAndMicrometer = ["ktor-server-core", "ktor-server-coreJvm", "ktor-server-netty", "ktor-server-metricsMicrometer"]

lib/security/README.md

@@ -0,0 +1,3 @@
+# Sikkerhetsmodul
+
+Felles sikkerhetsmodul for autentisering og autorisering.

lib/security/build.gradle.kts

@@ -0,0 +1,24 @@
+plugins {
+    kotlin("jvm")
+}
+
+dependencies {
+    implementation(project(":lib:error-handling"))
+    implementation(libs.ktor.server.auth)
+    implementation(libs.logbackClassic)
+    implementation(libs.nav.security.tokenValidationKtorV2)
+
+    //Test
+    testImplementation(project(":lib:pdl-client"))
+    testImplementation(libs.nav.poao.tilgangClient)
+    testImplementation(libs.nav.security.mockOauth2Server)
+    testImplementation(libs.bundles.testLibsWithUnitTesting)
+    testImplementation(libs.ktor.server.testJvm)
+    testImplementation(libs.ktor.client.contentNegotiation)
+    testImplementation(libs.ktor.serialization.jackson)
+    testImplementation(libs.jackson.datatypeJsr310)
+}
+
+tasks.withType<Test>().configureEach {
+    useJUnitPlatform()
+}

lib/security/src/main/kotlin/no/nav/paw/security/authentication/exception/BearerTokenManglerException.kt

@@ -0,0 +1,6 @@
+package no.nav.paw.security.authentication.exception
+
+import no.nav.paw.error.exception.AuthenticationException
+
+class BearerTokenManglerException(message: String) :
+    AuthenticationException("PAW_BEARER_TOKEN_MANGLER", message)

lib/security/src/main/kotlin/no/nav/paw/security/authentication/exception/IngenTilgangException.kt

@@ -0,0 +1,6 @@
+package no.nav.paw.security.authentication.exception
+
+import no.nav.paw.error.exception.AuthorizationException
+
+class IngenTilgangException(message: String) :
+    AuthorizationException("PAW_INGEN_TILGANG", message)

lib/security/src/main/kotlin/no/nav/paw/security/authentication/exception/UgyldigBearerTokenException.kt

@@ -0,0 +1,6 @@
+package no.nav.paw.security.authentication.exception
+
+import no.nav.paw.error.exception.AuthorizationException
+
+class UgyldigBearerTokenException(message: String) :
+    AuthorizationException("PAW_UGYLDIG_BEARER_TOKEN", message)

lib/security/src/main/kotlin/no/nav/paw/security/authentication/exception/UgyldigBrukerException.kt

@@ -0,0 +1,6 @@
+package no.nav.paw.security.authentication.exception
+
+import no.nav.paw.error.exception.AuthorizationException
+
+class UgyldigBrukerException(message: String) :
+    AuthorizationException("PAW_UGYLDIG_BRUKER", message)

lib/security/src/main/kotlin/no/nav/paw/security/authentication/model/Bruker.kt

@@ -0,0 +1,11 @@
+package no.nav.paw.security.authentication.model
+
+import java.util.*
+
+sealed class Bruker<ID : Any>(
+    open val ident: ID
+)
+
+data class Sluttbruker(override val ident: Identitetsnummer) : Bruker<Identitetsnummer>(ident)
+data class NavAnsatt(val oid: UUID, override val ident: String) : Bruker<String>(ident)
+data class M2MToken(val oid: UUID) : Bruker<String>("N/A")

lib/security/src/main/kotlin/no/nav/paw/security/authentication/model/Identitetsnummer.kt

@@ -0,0 +1,10 @@
+package no.nav.paw.security.authentication.model
+
+@JvmInline
+value class Identitetsnummer(val verdi: String) {
+    override fun toString(): String {
+        return "*".repeat(verdi.length)
+    }
+}
+
+fun String.asIdentitetsnummer(): Identitetsnummer = Identitetsnummer(this)