La til felles sikkerhetsconfig, splittet config-filer i bekreftelse-api

apps/bekreftelse-api/nais/nais-dev.yaml

@@ -9,12 +9,14 @@ spec:
   image: {{ image }}
   port: 8080
   env:
+    - name: CORS_ALLOW_ORIGINS
+      value: "www.intern.dev.nav.no"
     - name: KAFKA_PAW_ARBEIDSSOKER_BEKREFTELSE_TOPIC
       value: "paw.arbeidssoker-bekreftelse-beta-v2"
     - name: KAFKA_PAW_ARBEIDSSOKER_BEKREFTELSE_HENDELSESLOGG_TOPIC
       value: "paw.arbeidssoker-bekreftelse-hendelseslogg-beta-v2"
-    - name: CORS_ALLOW_ORIGINS
-      value: "www.intern.dev.nav.no"
+    - name: KAFKA_KEYS_SCOPE
+      value: "api://dev-gcp.paw.paw-kafka-key-generator/.default"
   replicas:
     min: 2
     max: 2

apps/bekreftelse-api/nais/nais-prod.yaml

@@ -9,12 +9,14 @@ spec:
   image: {{ image }}
   port: 8080
   env:
+    - name: CORS_ALLOW_ORIGINS
+      value: "www.intern.nav.no"
     - name: KAFKA_PAW_ARBEIDSSOKER_BEKREFTELSE_TOPIC
       value: "paw.arbeidssoker-bekreftelse-v1"
     - name: KAFKA_PAW_ARBEIDSSOKER_BEKREFTELSE_HENDELSESLOGG_TOPIC
       value: "paw.arbeidssoker-bekreftelse-hendelseslogg-v1"
-    - name: CORS_ALLOW_ORIGINS
-      value: "www.intern.nav.no"
+    - name: KAFKA_KEYS_SCOPE
+      value: "api://prod-gcp.paw.paw-kafka-key-generator/.default"
   replicas:
     min: 2
     max: 2

apps/bekreftelse-api/src/main/kotlin/no/nav/paw/bekreftelse/api/config/ApplicationConfig.kt

@@ -1,19 +1,12 @@
 package no.nav.paw.bekreftelse.api.config
 
-import no.nav.paw.config.kafka.KafkaConfig
-import no.nav.paw.kafkakeygenerator.auth.AzureM2MConfig
-import no.nav.paw.kafkakeygenerator.client.KafkaKeyConfig
 import java.time.Duration
 
-const val APPLICATION_CONFIG_FILE_NAME = "application_config.toml"
+const val APPLICATION_CONFIG = "application_config.toml"
+const val POAO_TILGANG_CLIENT_CONFIG = "poao_tilgang_client_config.toml"
 
 data class ApplicationConfig(
     val autorisasjon: AutorisasjonConfig,
-    val authProviders: List<AuthProvider>,
-    val azureM2M: AzureM2MConfig,
-    val poaoClientConfig: ServiceClientConfig,
-    val kafkaKeysClient: KafkaKeyConfig,
-    val kafkaClients: KafkaConfig,
     val kafkaTopology: KafkaTopologyConfig,
     val database: DatabaseConfig
 )
@@ -22,23 +15,6 @@ data class AutorisasjonConfig(
     val corsAllowOrigins: String? = null
 )
 
-data class ServiceClientConfig(
-    val url: String,
-    val scope: String
-)
-
-data class AuthProvider(
-    val name: String,
-    val discoveryUrl: String,
-    val clientId: String,
-    val claims: AuthProviderClaims
-)
-
-data class AuthProviderClaims(
-    val map: List<String>,
-    val combineWithOr: Boolean = false
-)
-
 data class KafkaTopologyConfig(
     val version: Int,
     val antallPartitioner: Int,

apps/bekreftelse-api/src/main/kotlin/no/nav/paw/bekreftelse/api/context/ApplicationContext.kt

@@ -2,8 +2,9 @@ package no.nav.paw.bekreftelse.api.context
 
 import io.micrometer.prometheusmetrics.PrometheusConfig
 import io.micrometer.prometheusmetrics.PrometheusMeterRegistry
-import no.nav.paw.bekreftelse.api.config.APPLICATION_CONFIG_FILE_NAME
+import no.nav.paw.bekreftelse.api.config.APPLICATION_CONFIG
 import no.nav.paw.bekreftelse.api.config.ApplicationConfig
+import no.nav.paw.bekreftelse.api.config.POAO_TILGANG_CLIENT_CONFIG
 import no.nav.paw.bekreftelse.api.config.SERVER_CONFIG_FILE_NAME
 import no.nav.paw.bekreftelse.api.config.ServerConfig
 import no.nav.paw.bekreftelse.api.handler.KafkaConsumerExceptionHandler
@@ -17,14 +18,22 @@ import no.nav.paw.bekreftelse.internehendelser.BekreftelseHendelse
 import no.nav.paw.bekreftelse.internehendelser.BekreftelseHendelseDeserializer
 import no.nav.paw.bekreftelse.melding.v1.Bekreftelse
 import no.nav.paw.config.hoplite.loadNaisOrLocalConfiguration
+import no.nav.paw.config.kafka.KAFKA_CONFIG_WITH_SCHEME_REG
+import no.nav.paw.config.kafka.KafkaConfig
 import no.nav.paw.config.kafka.KafkaFactory
 import no.nav.paw.health.model.HealthStatus
 import no.nav.paw.health.model.LivenessHealthIndicator
 import no.nav.paw.health.model.ReadinessHealthIndicator
 import no.nav.paw.health.repository.HealthIndicatorRepository
+import no.nav.paw.kafkakeygenerator.auth.AZURE_M2M_CONFIG
+import no.nav.paw.kafkakeygenerator.auth.AzureM2MConfig
 import no.nav.paw.kafkakeygenerator.auth.azureAdM2MTokenClient
+import no.nav.paw.kafkakeygenerator.client.KAFKA_KEY_GENERATOR_CLIENT_CONFIG
+import no.nav.paw.kafkakeygenerator.client.KafkaKeyConfig
 import no.nav.paw.kafkakeygenerator.client.KafkaKeysClient
 import no.nav.paw.kafkakeygenerator.client.kafkaKeysClient
+import no.nav.paw.security.authentication.config.SECURITY_CONFIG
+import no.nav.paw.security.authentication.config.SecurityConfig
 import no.nav.poao_tilgang.client.PoaoTilgangCachedClient
 import no.nav.poao_tilgang.client.PoaoTilgangHttpClient
 import org.apache.kafka.clients.consumer.KafkaConsumer
@@ -36,6 +45,7 @@ import javax.sql.DataSource
 data class ApplicationContext(
     val serverConfig: ServerConfig,
     val applicationConfig: ApplicationConfig,
+    val securityConfig: SecurityConfig,
     val dataSource: DataSource,
     val kafkaKeysClient: KafkaKeysClient,
     val prometheusMeterRegistry: PrometheusMeterRegistry,
@@ -49,16 +59,19 @@ data class ApplicationContext(
     companion object {
         fun create(): ApplicationContext {
             val serverConfig = loadNaisOrLocalConfiguration<ServerConfig>(SERVER_CONFIG_FILE_NAME)
-            val applicationConfig = loadNaisOrLocalConfiguration<ApplicationConfig>(APPLICATION_CONFIG_FILE_NAME)
+            val applicationConfig = loadNaisOrLocalConfiguration<ApplicationConfig>(APPLICATION_CONFIG)
+            val securityConfig = loadNaisOrLocalConfiguration<SecurityConfig>(SECURITY_CONFIG)
+            val kafkaConfig = loadNaisOrLocalConfiguration<KafkaConfig>(KAFKA_CONFIG_WITH_SCHEME_REG)
+            val azureM2MConfig = loadNaisOrLocalConfiguration<AzureM2MConfig>(AZURE_M2M_CONFIG)
+            val kafkaKeysClientConfig = loadNaisOrLocalConfiguration<KafkaKeyConfig>(KAFKA_KEY_GENERATOR_CLIENT_CONFIG)
+            val poaoTilgangClientConfig = loadNaisOrLocalConfiguration<KafkaKeyConfig>(POAO_TILGANG_CLIENT_CONFIG)
 
             val dataSource = createDataSource(applicationConfig.database)
 
-            val azureM2MTokenClient = azureAdM2MTokenClient(
-                serverConfig.runtimeEnvironment, applicationConfig.azureM2M
-            )
+            val azureM2MTokenClient = azureAdM2MTokenClient(serverConfig.runtimeEnvironment, azureM2MConfig)
 
-            val kafkaKeysClient = kafkaKeysClient(applicationConfig.kafkaKeysClient) {
-                azureM2MTokenClient.createMachineToMachineToken(applicationConfig.kafkaKeysClient.scope)
+            val kafkaKeysClient = kafkaKeysClient(kafkaKeysClientConfig) {
+                azureM2MTokenClient.createMachineToMachineToken(kafkaKeysClientConfig.scope)
             }
 
             val prometheusMeterRegistry = PrometheusMeterRegistry(PrometheusConfig.DEFAULT)
@@ -67,8 +80,8 @@ data class ApplicationContext(
 
             val poaoTilgangClient = PoaoTilgangCachedClient(
                 PoaoTilgangHttpClient(
-                    baseUrl = applicationConfig.poaoClientConfig.url,
-                    { azureM2MTokenClient.createMachineToMachineToken(applicationConfig.poaoClientConfig.scope) }
+                    baseUrl = poaoTilgangClientConfig.url,
+                    { azureM2MTokenClient.createMachineToMachineToken(poaoTilgangClientConfig.scope) }
                 )
             )
 
@@ -79,7 +92,7 @@ data class ApplicationContext(
                 healthIndicatorRepository.addReadinessIndicator(ReadinessHealthIndicator(HealthStatus.HEALTHY))
             )
 
-            val kafkaFactory = KafkaFactory(applicationConfig.kafkaClients)
+            val kafkaFactory = KafkaFactory(kafkaConfig)
 
             val kafkaProducer = kafkaFactory.createProducer<Long, Bekreftelse>(
                 clientId = applicationConfig.kafkaTopology.producerId,
@@ -110,6 +123,7 @@ data class ApplicationContext(
             return ApplicationContext(
                 serverConfig,
                 applicationConfig,
+                securityConfig,
                 dataSource,
                 kafkaKeysClient,
                 prometheusMeterRegistry,

apps/bekreftelse-api/src/main/kotlin/no/nav/paw/bekreftelse/api/plugins/Authentication.kt

@@ -9,7 +9,7 @@ import no.nav.security.token.support.v2.TokenSupportConfig
 import no.nav.security.token.support.v2.tokenValidationSupport
 
 fun Application.configureAuthentication(applicationContext: ApplicationContext) {
-    with(applicationContext.applicationConfig) {
+    with(applicationContext.securityConfig) {
         authentication {
             authProviders.forEach { provider ->
                 tokenValidationSupport(

apps/bekreftelse-api/src/main/resources/local/application_config.toml

@@ -1,49 +1,6 @@
 [autorisasjon]
 corsAllowOrigins = "localhost"
 
-[[authProviders]]
-name = "idporten"
-discoveryUrl = "http://localhost:8081/idporten/.well-known/openid-configuration"
-clientId = "paw-arbeidssoekerregisteret-api-bekreftelse"
-
-    [authProviders.claims]
-    map = ["acr=idporten-loa-high"]
-
-[[authProviders]]
-name = "tokenx"
-discoveryUrl = "http://localhost:8081/tokenx/.well-known/openid-configuration"
-clientId = "paw-arbeidssoekerregisteret-api-bekreftelse"
-
-    [authProviders.claims]
-    map = ["acr=Level4", "acr=idporten-loa-high"]
-    combineWithOr = true
-
-[[authProviders]]
-name = "azure"
-discoveryUrl = "http://localhost:8081/azure/.well-known/openid-configuration"
-clientId = "paw-arbeidssoekerregisteret-api-bekreftelse"
-
-    [authProviders.claims]
-    map = ["NAVident"]
-
-[azureM2M]
-tokenEndpointUrl = "http://localhost:8081/azure/token"
-clientId = "paw-arbeidssoekerregisteret-api-bekreftelse"
-
-[poaoClientConfig]
-url = "http://localhost:8090/poao-tilgang/"
-scope = "api://test.test.poao-tilgang/.default"
-
-[kafkaKeysClient]
-url = "http://localhost:8090/kafka-keys"
-scope = "api://test.test.kafka-keys/.default"
-
-[kafkaClients]
-brokers = "localhost:9092"
-
-    [kafkaClients.schemaRegistry]
-    url = "http://localhost:8082"
-
 [kafkaTopology]
 version = 1
 antallPartitioner = 1

apps/bekreftelse-api/src/main/resources/local/azure_m2m.toml

@@ -0,0 +1,2 @@
+tokenEndpointUrl = "http://localhost:8081/azure/token"
+clientId = "paw-arbeidssoekerregisteret-api-bekreftelse"

apps/bekreftelse-api/src/main/resources/local/kafka_configuration_schemareg.toml

@@ -0,0 +1,3 @@
+brokers = "localhost:9092"
+[schemaRegistry]
+url = "http://localhost:8082"

apps/bekreftelse-api/src/main/resources/local/kafka_key_generator_client_config.toml

@@ -0,0 +1,2 @@
+url = "http://localhost:8090/kafka-keys"
+scope = "api://test.test.kafka-keys/.default"

apps/bekreftelse-api/src/main/resources/local/poao_tilgang_client_config.toml

@@ -0,0 +1,2 @@
+url = "http://localhost:8090/poao-tilgang/"
+scope = "api://test.test.poao-tilgang/.default"

apps/bekreftelse-api/src/main/resources/local/security_config.toml

@@ -0,0 +1,24 @@
+[[authProviders]]
+name = "idporten"
+clientId = "paw-arbeidssoekerregisteret-api-bekreftelse"
+discoveryUrl = "http://localhost:8081/idporten/.well-known/openid-configuration"
+
+    [authProviders.claims]
+    map = ["acr=idporten-loa-high"]
+
+[[authProviders]]
+name = "tokenx"
+clientId = "paw-arbeidssoekerregisteret-api-bekreftelse"
+discoveryUrl = "http://localhost:8081/tokenx/.well-known/openid-configuration"
+
+    [authProviders.claims]
+    map = ["acr=Level4", "acr=idporten-loa-high"]
+    combineWithOr = true
+
+[[authProviders]]
+name = "azure"
+clientId = "paw-arbeidssoekerregisteret-api-bekreftelse"
+discoveryUrl = "http://localhost:8081/azure/.well-known/openid-configuration"
+
+    [authProviders.claims]
+    map = ["NAVident"]

apps/bekreftelse-api/src/main/resources/nais/application_config.toml

@@ -1,56 +1,6 @@
 [autorisasjon]
 corsAllowOrigins = "${CORS_ALLOW_ORIGINS}"
 
-[[authProviders]]
-name = "idporten"
-discoveryUrl = "${IDPORTEN_WELL_KNOWN_URL}
-clientId = "${IDPORTEN_CLIENT_ID}"
-
-    [authProviders.claims]
-    map = ["acr=idporten-loa-high"]
-
-[[authProviders]]
-name = "tokenx"
-discoveryUrl = "${TOKEN_X_WELL_KNOWN_URL}"
-clientId = "${TOKEN_X_CLIENT_ID}"
-
-    [authProviders.claims]
-    map = ["acr=Level4", "acr=idporten-loa-high"]
-    combineWithOr = true
-
-[[authProviders]]
-name = "azure"
-discoveryUrl = "${AZURE_APP_WELL_KNOWN_URL}"
-clientId = "${AZURE_APP_CLIENT_ID}"
-
-    [authProviders.claims]
-    map = ["NAVident"]
-
-[azureM2M]
-tokenEndpointUrl = "${AZURE_OPENID_CONFIG_TOKEN_ENDPOINT}"
-clientId = "${AZURE_APP_CLIENT_ID}"
-
-[poaoClientConfig]
-url = "http://poao-tilgang.poao.svc.cluster.local"
-scope = "api://${NAIS_CLUSTER_NAME}.poao.poao-tilgang/.default"
-
-[kafkaKeysClient]
-url = "http://paw-kafka-key-generator/api/v2/hentEllerOpprett"
-scope = "api://${NAIS_CLUSTER_NAME}.paw.paw-kafka-key-generator/.default"
-
-[kafkaClients]
-brokers = "${KAFKA_BROKERS}"
-
-    [kafkaClients.authentication]
-    keystorePath = "${KAFKA_KEYSTORE_PATH}"
-    truststorePath = "${KAFKA_TRUSTSTORE_PATH}"
-    credstorePassword = "${KAFKA_CREDSTORE_PASSWORD}"
-
-    [kafkaClients.schemaRegistry]
-    url = "${KAFKA_SCHEMA_REGISTRY}"
-    username = "${KAFKA_SCHEMA_REGISTRY_USER}"
-    password = "${KAFKA_SCHEMA_REGISTRY_PASSWORD}"
-
 [kafkaTopology]
 version = 1
 antallPartitioner = 6

apps/bekreftelse-api/src/main/resources/nais/poao_tilgang_client_config.toml

@@ -0,0 +1,2 @@
+url = "http://poao-tilgang.poao.svc.cluster.local"
+scope = "api://${NAIS_CLUSTER_NAME}.poao.poao-tilgang/.default"

apps/bekreftelse-api/src/main/resources/nais/security_config.toml

@@ -0,0 +1,24 @@
+[[authProviders]]
+name = "idporten"
+discoveryUrl = "${IDPORTEN_WELL_KNOWN_URL}
+clientId = "${IDPORTEN_CLIENT_ID}"
+
+    [authProviders.claims]
+    map = ["acr=idporten-loa-high"]
+
+[[authProviders]]
+name = "tokenx"
+discoveryUrl = "${TOKEN_X_WELL_KNOWN_URL}"
+clientId = "${TOKEN_X_CLIENT_ID}"
+
+    [authProviders.claims]
+    map = ["acr=Level4", "acr=idporten-loa-high"]
+    combineWithOr = true
+
+[[authProviders]]
+name = "azure"
+discoveryUrl = "${AZURE_APP_WELL_KNOWN_URL}"
+clientId = "${AZURE_APP_CLIENT_ID}"
+
+    [authProviders.claims]
+    map = ["NAVident"]