From 145208f3c26d3e21121b00de50d9d52eb3a5a589 Mon Sep 17 00:00:00 2001 From: Thomas Johansen Date: Fri, 1 Nov 2024 07:13:47 +0100 Subject: [PATCH] La til felles sikkerhetsconfig, splittet config-filer i bekreftelse-api --- apps/bekreftelse-api/nais/nais-dev.yaml | 6 ++- apps/bekreftelse-api/nais/nais-prod.yaml | 6 ++- .../api/config/ApplicationConfig.kt | 28 +---------- .../api/context/ApplicationContext.kt | 34 +++++++++---- .../bekreftelse/api/plugins/Authentication.kt | 2 +- .../resources/local/application_config.toml | 43 ---------------- .../src/main/resources/local/azure_m2m.toml | 2 + .../local/kafka_configuration_schemareg.toml | 3 ++ .../kafka_key_generator_client_config.toml | 2 + .../local/poao_tilgang_client_config.toml | 2 + .../main/resources/local/security_config.toml | 24 +++++++++ .../resources/nais/application_config.toml | 50 ------------------- .../nais/poao_tilgang_client_config.toml | 2 + .../main/resources/nais/security_config.toml | 24 +++++++++ .../api/test/ApplicationTestContext.kt | 41 +++++++-------- .../api/test/KafkaTestDataProducer.kt | 9 ++-- docker/README.md | 45 +++++++++++++++++ .../kafkakeygenerator/auth/AzureM2MConfig.kt | 2 + .../paw/kafkakeygenerator/client/Factory.kt | 12 +++-- .../client/KafkaKeyConfig.kt | 2 + .../authentication/config/SecurityConfig.kt | 17 +++++++ 21 files changed, 194 insertions(+), 162 deletions(-) create mode 100644 apps/bekreftelse-api/src/main/resources/local/azure_m2m.toml create mode 100644 apps/bekreftelse-api/src/main/resources/local/kafka_configuration_schemareg.toml create mode 100644 apps/bekreftelse-api/src/main/resources/local/kafka_key_generator_client_config.toml create mode 100644 apps/bekreftelse-api/src/main/resources/local/poao_tilgang_client_config.toml create mode 100644 apps/bekreftelse-api/src/main/resources/local/security_config.toml create mode 100644 apps/bekreftelse-api/src/main/resources/nais/poao_tilgang_client_config.toml create mode 100644 apps/bekreftelse-api/src/main/resources/nais/security_config.toml create mode 100644 docker/README.md create mode 100644 lib/security/src/main/kotlin/no/nav/paw/security/authentication/config/SecurityConfig.kt diff --git a/apps/bekreftelse-api/nais/nais-dev.yaml b/apps/bekreftelse-api/nais/nais-dev.yaml index b5d0d6d3..c1615a59 100644 --- a/apps/bekreftelse-api/nais/nais-dev.yaml +++ b/apps/bekreftelse-api/nais/nais-dev.yaml @@ -9,12 +9,14 @@ spec: image: {{ image }} port: 8080 env: + - name: CORS_ALLOW_ORIGINS + value: "www.intern.dev.nav.no" - name: KAFKA_PAW_ARBEIDSSOKER_BEKREFTELSE_TOPIC value: "paw.arbeidssoker-bekreftelse-beta-v2" - name: KAFKA_PAW_ARBEIDSSOKER_BEKREFTELSE_HENDELSESLOGG_TOPIC value: "paw.arbeidssoker-bekreftelse-hendelseslogg-beta-v2" - - name: CORS_ALLOW_ORIGINS - value: "www.intern.dev.nav.no" + - name: KAFKA_KEYS_SCOPE + value: "api://dev-gcp.paw.paw-kafka-key-generator/.default" replicas: min: 2 max: 2 diff --git a/apps/bekreftelse-api/nais/nais-prod.yaml b/apps/bekreftelse-api/nais/nais-prod.yaml index 9ef45dc1..1985ef0c 100644 --- a/apps/bekreftelse-api/nais/nais-prod.yaml +++ b/apps/bekreftelse-api/nais/nais-prod.yaml @@ -9,12 +9,14 @@ spec: image: {{ image }} port: 8080 env: + - name: CORS_ALLOW_ORIGINS + value: "www.intern.nav.no" - name: KAFKA_PAW_ARBEIDSSOKER_BEKREFTELSE_TOPIC value: "paw.arbeidssoker-bekreftelse-v1" - name: KAFKA_PAW_ARBEIDSSOKER_BEKREFTELSE_HENDELSESLOGG_TOPIC value: "paw.arbeidssoker-bekreftelse-hendelseslogg-v1" - - name: CORS_ALLOW_ORIGINS - value: "www.intern.nav.no" + - name: KAFKA_KEYS_SCOPE + value: "api://prod-gcp.paw.paw-kafka-key-generator/.default" replicas: min: 2 max: 2 diff --git a/apps/bekreftelse-api/src/main/kotlin/no/nav/paw/bekreftelse/api/config/ApplicationConfig.kt b/apps/bekreftelse-api/src/main/kotlin/no/nav/paw/bekreftelse/api/config/ApplicationConfig.kt index 051dc985..790fe1fd 100644 --- a/apps/bekreftelse-api/src/main/kotlin/no/nav/paw/bekreftelse/api/config/ApplicationConfig.kt +++ b/apps/bekreftelse-api/src/main/kotlin/no/nav/paw/bekreftelse/api/config/ApplicationConfig.kt @@ -1,19 +1,12 @@ package no.nav.paw.bekreftelse.api.config -import no.nav.paw.config.kafka.KafkaConfig -import no.nav.paw.kafkakeygenerator.auth.AzureM2MConfig -import no.nav.paw.kafkakeygenerator.client.KafkaKeyConfig import java.time.Duration -const val APPLICATION_CONFIG_FILE_NAME = "application_config.toml" +const val APPLICATION_CONFIG = "application_config.toml" +const val POAO_TILGANG_CLIENT_CONFIG = "poao_tilgang_client_config.toml" data class ApplicationConfig( val autorisasjon: AutorisasjonConfig, - val authProviders: List, - val azureM2M: AzureM2MConfig, - val poaoClientConfig: ServiceClientConfig, - val kafkaKeysClient: KafkaKeyConfig, - val kafkaClients: KafkaConfig, val kafkaTopology: KafkaTopologyConfig, val database: DatabaseConfig ) @@ -22,23 +15,6 @@ data class AutorisasjonConfig( val corsAllowOrigins: String? = null ) -data class ServiceClientConfig( - val url: String, - val scope: String -) - -data class AuthProvider( - val name: String, - val discoveryUrl: String, - val clientId: String, - val claims: AuthProviderClaims -) - -data class AuthProviderClaims( - val map: List, - val combineWithOr: Boolean = false -) - data class KafkaTopologyConfig( val version: Int, val antallPartitioner: Int, diff --git a/apps/bekreftelse-api/src/main/kotlin/no/nav/paw/bekreftelse/api/context/ApplicationContext.kt b/apps/bekreftelse-api/src/main/kotlin/no/nav/paw/bekreftelse/api/context/ApplicationContext.kt index 3feedbd3..a3cbb012 100644 --- a/apps/bekreftelse-api/src/main/kotlin/no/nav/paw/bekreftelse/api/context/ApplicationContext.kt +++ b/apps/bekreftelse-api/src/main/kotlin/no/nav/paw/bekreftelse/api/context/ApplicationContext.kt @@ -2,8 +2,9 @@ package no.nav.paw.bekreftelse.api.context import io.micrometer.prometheusmetrics.PrometheusConfig import io.micrometer.prometheusmetrics.PrometheusMeterRegistry -import no.nav.paw.bekreftelse.api.config.APPLICATION_CONFIG_FILE_NAME +import no.nav.paw.bekreftelse.api.config.APPLICATION_CONFIG import no.nav.paw.bekreftelse.api.config.ApplicationConfig +import no.nav.paw.bekreftelse.api.config.POAO_TILGANG_CLIENT_CONFIG import no.nav.paw.bekreftelse.api.config.SERVER_CONFIG_FILE_NAME import no.nav.paw.bekreftelse.api.config.ServerConfig import no.nav.paw.bekreftelse.api.handler.KafkaConsumerExceptionHandler @@ -17,14 +18,22 @@ import no.nav.paw.bekreftelse.internehendelser.BekreftelseHendelse import no.nav.paw.bekreftelse.internehendelser.BekreftelseHendelseDeserializer import no.nav.paw.bekreftelse.melding.v1.Bekreftelse import no.nav.paw.config.hoplite.loadNaisOrLocalConfiguration +import no.nav.paw.config.kafka.KAFKA_CONFIG_WITH_SCHEME_REG +import no.nav.paw.config.kafka.KafkaConfig import no.nav.paw.config.kafka.KafkaFactory import no.nav.paw.health.model.HealthStatus import no.nav.paw.health.model.LivenessHealthIndicator import no.nav.paw.health.model.ReadinessHealthIndicator import no.nav.paw.health.repository.HealthIndicatorRepository +import no.nav.paw.kafkakeygenerator.auth.AZURE_M2M_CONFIG +import no.nav.paw.kafkakeygenerator.auth.AzureM2MConfig import no.nav.paw.kafkakeygenerator.auth.azureAdM2MTokenClient +import no.nav.paw.kafkakeygenerator.client.KAFKA_KEY_GENERATOR_CLIENT_CONFIG +import no.nav.paw.kafkakeygenerator.client.KafkaKeyConfig import no.nav.paw.kafkakeygenerator.client.KafkaKeysClient import no.nav.paw.kafkakeygenerator.client.kafkaKeysClient +import no.nav.paw.security.authentication.config.SECURITY_CONFIG +import no.nav.paw.security.authentication.config.SecurityConfig import no.nav.poao_tilgang.client.PoaoTilgangCachedClient import no.nav.poao_tilgang.client.PoaoTilgangHttpClient import org.apache.kafka.clients.consumer.KafkaConsumer @@ -36,6 +45,7 @@ import javax.sql.DataSource data class ApplicationContext( val serverConfig: ServerConfig, val applicationConfig: ApplicationConfig, + val securityConfig: SecurityConfig, val dataSource: DataSource, val kafkaKeysClient: KafkaKeysClient, val prometheusMeterRegistry: PrometheusMeterRegistry, @@ -49,16 +59,19 @@ data class ApplicationContext( companion object { fun create(): ApplicationContext { val serverConfig = loadNaisOrLocalConfiguration(SERVER_CONFIG_FILE_NAME) - val applicationConfig = loadNaisOrLocalConfiguration(APPLICATION_CONFIG_FILE_NAME) + val applicationConfig = loadNaisOrLocalConfiguration(APPLICATION_CONFIG) + val securityConfig = loadNaisOrLocalConfiguration(SECURITY_CONFIG) + val kafkaConfig = loadNaisOrLocalConfiguration(KAFKA_CONFIG_WITH_SCHEME_REG) + val azureM2MConfig = loadNaisOrLocalConfiguration(AZURE_M2M_CONFIG) + val kafkaKeysClientConfig = loadNaisOrLocalConfiguration(KAFKA_KEY_GENERATOR_CLIENT_CONFIG) + val poaoTilgangClientConfig = loadNaisOrLocalConfiguration(POAO_TILGANG_CLIENT_CONFIG) val dataSource = createDataSource(applicationConfig.database) - val azureM2MTokenClient = azureAdM2MTokenClient( - serverConfig.runtimeEnvironment, applicationConfig.azureM2M - ) + val azureM2MTokenClient = azureAdM2MTokenClient(serverConfig.runtimeEnvironment, azureM2MConfig) - val kafkaKeysClient = kafkaKeysClient(applicationConfig.kafkaKeysClient) { - azureM2MTokenClient.createMachineToMachineToken(applicationConfig.kafkaKeysClient.scope) + val kafkaKeysClient = kafkaKeysClient(kafkaKeysClientConfig) { + azureM2MTokenClient.createMachineToMachineToken(kafkaKeysClientConfig.scope) } val prometheusMeterRegistry = PrometheusMeterRegistry(PrometheusConfig.DEFAULT) @@ -67,8 +80,8 @@ data class ApplicationContext( val poaoTilgangClient = PoaoTilgangCachedClient( PoaoTilgangHttpClient( - baseUrl = applicationConfig.poaoClientConfig.url, - { azureM2MTokenClient.createMachineToMachineToken(applicationConfig.poaoClientConfig.scope) } + baseUrl = poaoTilgangClientConfig.url, + { azureM2MTokenClient.createMachineToMachineToken(poaoTilgangClientConfig.scope) } ) ) @@ -79,7 +92,7 @@ data class ApplicationContext( healthIndicatorRepository.addReadinessIndicator(ReadinessHealthIndicator(HealthStatus.HEALTHY)) ) - val kafkaFactory = KafkaFactory(applicationConfig.kafkaClients) + val kafkaFactory = KafkaFactory(kafkaConfig) val kafkaProducer = kafkaFactory.createProducer( clientId = applicationConfig.kafkaTopology.producerId, @@ -110,6 +123,7 @@ data class ApplicationContext( return ApplicationContext( serverConfig, applicationConfig, + securityConfig, dataSource, kafkaKeysClient, prometheusMeterRegistry, diff --git a/apps/bekreftelse-api/src/main/kotlin/no/nav/paw/bekreftelse/api/plugins/Authentication.kt b/apps/bekreftelse-api/src/main/kotlin/no/nav/paw/bekreftelse/api/plugins/Authentication.kt index fa987813..09a3e26e 100644 --- a/apps/bekreftelse-api/src/main/kotlin/no/nav/paw/bekreftelse/api/plugins/Authentication.kt +++ b/apps/bekreftelse-api/src/main/kotlin/no/nav/paw/bekreftelse/api/plugins/Authentication.kt @@ -9,7 +9,7 @@ import no.nav.security.token.support.v2.TokenSupportConfig import no.nav.security.token.support.v2.tokenValidationSupport fun Application.configureAuthentication(applicationContext: ApplicationContext) { - with(applicationContext.applicationConfig) { + with(applicationContext.securityConfig) { authentication { authProviders.forEach { provider -> tokenValidationSupport( diff --git a/apps/bekreftelse-api/src/main/resources/local/application_config.toml b/apps/bekreftelse-api/src/main/resources/local/application_config.toml index ed70c1e3..8842873e 100644 --- a/apps/bekreftelse-api/src/main/resources/local/application_config.toml +++ b/apps/bekreftelse-api/src/main/resources/local/application_config.toml @@ -1,49 +1,6 @@ [autorisasjon] corsAllowOrigins = "localhost" -[[authProviders]] -name = "idporten" -discoveryUrl = "http://localhost:8081/idporten/.well-known/openid-configuration" -clientId = "paw-arbeidssoekerregisteret-api-bekreftelse" - - [authProviders.claims] - map = ["acr=idporten-loa-high"] - -[[authProviders]] -name = "tokenx" -discoveryUrl = "http://localhost:8081/tokenx/.well-known/openid-configuration" -clientId = "paw-arbeidssoekerregisteret-api-bekreftelse" - - [authProviders.claims] - map = ["acr=Level4", "acr=idporten-loa-high"] - combineWithOr = true - -[[authProviders]] -name = "azure" -discoveryUrl = "http://localhost:8081/azure/.well-known/openid-configuration" -clientId = "paw-arbeidssoekerregisteret-api-bekreftelse" - - [authProviders.claims] - map = ["NAVident"] - -[azureM2M] -tokenEndpointUrl = "http://localhost:8081/azure/token" -clientId = "paw-arbeidssoekerregisteret-api-bekreftelse" - -[poaoClientConfig] -url = "http://localhost:8090/poao-tilgang/" -scope = "api://test.test.poao-tilgang/.default" - -[kafkaKeysClient] -url = "http://localhost:8090/kafka-keys" -scope = "api://test.test.kafka-keys/.default" - -[kafkaClients] -brokers = "localhost:9092" - - [kafkaClients.schemaRegistry] - url = "http://localhost:8082" - [kafkaTopology] version = 1 antallPartitioner = 1 diff --git a/apps/bekreftelse-api/src/main/resources/local/azure_m2m.toml b/apps/bekreftelse-api/src/main/resources/local/azure_m2m.toml new file mode 100644 index 00000000..b4adef13 --- /dev/null +++ b/apps/bekreftelse-api/src/main/resources/local/azure_m2m.toml @@ -0,0 +1,2 @@ +tokenEndpointUrl = "http://localhost:8081/azure/token" +clientId = "paw-arbeidssoekerregisteret-api-bekreftelse" diff --git a/apps/bekreftelse-api/src/main/resources/local/kafka_configuration_schemareg.toml b/apps/bekreftelse-api/src/main/resources/local/kafka_configuration_schemareg.toml new file mode 100644 index 00000000..9d70b952 --- /dev/null +++ b/apps/bekreftelse-api/src/main/resources/local/kafka_configuration_schemareg.toml @@ -0,0 +1,3 @@ +brokers = "localhost:9092" +[schemaRegistry] +url = "http://localhost:8082" diff --git a/apps/bekreftelse-api/src/main/resources/local/kafka_key_generator_client_config.toml b/apps/bekreftelse-api/src/main/resources/local/kafka_key_generator_client_config.toml new file mode 100644 index 00000000..1d7a2484 --- /dev/null +++ b/apps/bekreftelse-api/src/main/resources/local/kafka_key_generator_client_config.toml @@ -0,0 +1,2 @@ +url = "http://localhost:8090/kafka-keys" +scope = "api://test.test.kafka-keys/.default" diff --git a/apps/bekreftelse-api/src/main/resources/local/poao_tilgang_client_config.toml b/apps/bekreftelse-api/src/main/resources/local/poao_tilgang_client_config.toml new file mode 100644 index 00000000..0a592b53 --- /dev/null +++ b/apps/bekreftelse-api/src/main/resources/local/poao_tilgang_client_config.toml @@ -0,0 +1,2 @@ +url = "http://localhost:8090/poao-tilgang/" +scope = "api://test.test.poao-tilgang/.default" diff --git a/apps/bekreftelse-api/src/main/resources/local/security_config.toml b/apps/bekreftelse-api/src/main/resources/local/security_config.toml new file mode 100644 index 00000000..a4ed6ae9 --- /dev/null +++ b/apps/bekreftelse-api/src/main/resources/local/security_config.toml @@ -0,0 +1,24 @@ +[[authProviders]] +name = "idporten" +clientId = "paw-arbeidssoekerregisteret-api-bekreftelse" +discoveryUrl = "http://localhost:8081/idporten/.well-known/openid-configuration" + + [authProviders.claims] + map = ["acr=idporten-loa-high"] + +[[authProviders]] +name = "tokenx" +clientId = "paw-arbeidssoekerregisteret-api-bekreftelse" +discoveryUrl = "http://localhost:8081/tokenx/.well-known/openid-configuration" + + [authProviders.claims] + map = ["acr=Level4", "acr=idporten-loa-high"] + combineWithOr = true + +[[authProviders]] +name = "azure" +clientId = "paw-arbeidssoekerregisteret-api-bekreftelse" +discoveryUrl = "http://localhost:8081/azure/.well-known/openid-configuration" + + [authProviders.claims] + map = ["NAVident"] diff --git a/apps/bekreftelse-api/src/main/resources/nais/application_config.toml b/apps/bekreftelse-api/src/main/resources/nais/application_config.toml index 832ef2d6..b4d43614 100644 --- a/apps/bekreftelse-api/src/main/resources/nais/application_config.toml +++ b/apps/bekreftelse-api/src/main/resources/nais/application_config.toml @@ -1,56 +1,6 @@ [autorisasjon] corsAllowOrigins = "${CORS_ALLOW_ORIGINS}" -[[authProviders]] -name = "idporten" -discoveryUrl = "${IDPORTEN_WELL_KNOWN_URL} -clientId = "${IDPORTEN_CLIENT_ID}" - - [authProviders.claims] - map = ["acr=idporten-loa-high"] - -[[authProviders]] -name = "tokenx" -discoveryUrl = "${TOKEN_X_WELL_KNOWN_URL}" -clientId = "${TOKEN_X_CLIENT_ID}" - - [authProviders.claims] - map = ["acr=Level4", "acr=idporten-loa-high"] - combineWithOr = true - -[[authProviders]] -name = "azure" -discoveryUrl = "${AZURE_APP_WELL_KNOWN_URL}" -clientId = "${AZURE_APP_CLIENT_ID}" - - [authProviders.claims] - map = ["NAVident"] - -[azureM2M] -tokenEndpointUrl = "${AZURE_OPENID_CONFIG_TOKEN_ENDPOINT}" -clientId = "${AZURE_APP_CLIENT_ID}" - -[poaoClientConfig] -url = "http://poao-tilgang.poao.svc.cluster.local" -scope = "api://${NAIS_CLUSTER_NAME}.poao.poao-tilgang/.default" - -[kafkaKeysClient] -url = "http://paw-kafka-key-generator/api/v2/hentEllerOpprett" -scope = "api://${NAIS_CLUSTER_NAME}.paw.paw-kafka-key-generator/.default" - -[kafkaClients] -brokers = "${KAFKA_BROKERS}" - - [kafkaClients.authentication] - keystorePath = "${KAFKA_KEYSTORE_PATH}" - truststorePath = "${KAFKA_TRUSTSTORE_PATH}" - credstorePassword = "${KAFKA_CREDSTORE_PASSWORD}" - - [kafkaClients.schemaRegistry] - url = "${KAFKA_SCHEMA_REGISTRY}" - username = "${KAFKA_SCHEMA_REGISTRY_USER}" - password = "${KAFKA_SCHEMA_REGISTRY_PASSWORD}" - [kafkaTopology] version = 1 antallPartitioner = 6 diff --git a/apps/bekreftelse-api/src/main/resources/nais/poao_tilgang_client_config.toml b/apps/bekreftelse-api/src/main/resources/nais/poao_tilgang_client_config.toml new file mode 100644 index 00000000..b752e21d --- /dev/null +++ b/apps/bekreftelse-api/src/main/resources/nais/poao_tilgang_client_config.toml @@ -0,0 +1,2 @@ +url = "http://poao-tilgang.poao.svc.cluster.local" +scope = "api://${NAIS_CLUSTER_NAME}.poao.poao-tilgang/.default" diff --git a/apps/bekreftelse-api/src/main/resources/nais/security_config.toml b/apps/bekreftelse-api/src/main/resources/nais/security_config.toml new file mode 100644 index 00000000..a1acdee5 --- /dev/null +++ b/apps/bekreftelse-api/src/main/resources/nais/security_config.toml @@ -0,0 +1,24 @@ +[[authProviders]] +name = "idporten" +discoveryUrl = "${IDPORTEN_WELL_KNOWN_URL} +clientId = "${IDPORTEN_CLIENT_ID}" + + [authProviders.claims] + map = ["acr=idporten-loa-high"] + +[[authProviders]] +name = "tokenx" +discoveryUrl = "${TOKEN_X_WELL_KNOWN_URL}" +clientId = "${TOKEN_X_CLIENT_ID}" + + [authProviders.claims] + map = ["acr=Level4", "acr=idporten-loa-high"] + combineWithOr = true + +[[authProviders]] +name = "azure" +discoveryUrl = "${AZURE_APP_WELL_KNOWN_URL}" +clientId = "${AZURE_APP_CLIENT_ID}" + + [authProviders.claims] + map = ["NAVident"] diff --git a/apps/bekreftelse-api/src/test/kotlin/no/nav/paw/bekreftelse/api/test/ApplicationTestContext.kt b/apps/bekreftelse-api/src/test/kotlin/no/nav/paw/bekreftelse/api/test/ApplicationTestContext.kt index 9998014e..6b3f6ad8 100644 --- a/apps/bekreftelse-api/src/test/kotlin/no/nav/paw/bekreftelse/api/test/ApplicationTestContext.kt +++ b/apps/bekreftelse-api/src/test/kotlin/no/nav/paw/bekreftelse/api/test/ApplicationTestContext.kt @@ -8,10 +8,8 @@ import io.ktor.server.testing.ApplicationTestBuilder import io.micrometer.prometheusmetrics.PrometheusConfig import io.micrometer.prometheusmetrics.PrometheusMeterRegistry import io.mockk.mockk -import no.nav.paw.bekreftelse.api.config.APPLICATION_CONFIG_FILE_NAME +import no.nav.paw.bekreftelse.api.config.APPLICATION_CONFIG import no.nav.paw.bekreftelse.api.config.ApplicationConfig -import no.nav.paw.bekreftelse.api.config.AuthProvider -import no.nav.paw.bekreftelse.api.config.AuthProviderClaims import no.nav.paw.bekreftelse.api.config.SERVER_CONFIG_FILE_NAME import no.nav.paw.bekreftelse.api.config.ServerConfig import no.nav.paw.bekreftelse.api.context.ApplicationContext @@ -35,6 +33,10 @@ import no.nav.paw.health.model.LivenessHealthIndicator import no.nav.paw.health.model.ReadinessHealthIndicator import no.nav.paw.health.repository.HealthIndicatorRepository import no.nav.paw.kafkakeygenerator.client.KafkaKeysClient +import no.nav.paw.security.authentication.config.AuthProvider +import no.nav.paw.security.authentication.config.AuthProviderClaims +import no.nav.paw.security.authentication.config.SECURITY_CONFIG +import no.nav.paw.security.authentication.config.SecurityConfig import no.nav.paw.security.authentication.token.AzureAd import no.nav.paw.security.authentication.token.IdPorten import no.nav.paw.security.authentication.token.TokenX @@ -49,7 +51,8 @@ import javax.sql.DataSource class ApplicationTestContext { val serverConfig = loadNaisOrLocalConfiguration(SERVER_CONFIG_FILE_NAME) - val applicationConfig = loadNaisOrLocalConfiguration(APPLICATION_CONFIG_FILE_NAME) + val applicationConfig = loadNaisOrLocalConfiguration(APPLICATION_CONFIG) + val securityConfig = loadNaisOrLocalConfiguration(SECURITY_CONFIG) val dataSource = createTestDataSource() val prometheusMeterRegistry = PrometheusMeterRegistry(PrometheusConfig.DEFAULT) val kafkaKeysClientMock = mockk() @@ -76,7 +79,8 @@ class ApplicationTestContext { fun createApplicationContext(bekreftelseService: BekreftelseService) = ApplicationContext( serverConfig, - applicationConfig.copy(authProviders = mockOAuth2Server.createAuthProviders()), + applicationConfig, + securityConfig.copy(authProviders = mockOAuth2Server.createAuthProviders()), dataSource, kafkaKeysClientMock, prometheusMeterRegistry, @@ -120,25 +124,22 @@ class ApplicationTestContext { val wellKnownUrl = wellKnownUrl("default").toString() return listOf( AuthProvider( - IdPorten.name, wellKnownUrl, "default", AuthProviderClaims( - listOf( - "acr=idporten-loa-high" - ) - ) + name = IdPorten.name, + clientId = "default", + discoveryUrl = wellKnownUrl, + claims = AuthProviderClaims(listOf("acr=idporten-loa-high")) ), AuthProvider( - TokenX.name, wellKnownUrl, "default", AuthProviderClaims( - listOf( - "acr=Level4", "acr=idporten-loa-high" - ), true - ) + name = TokenX.name, + clientId = "default", + discoveryUrl = wellKnownUrl, + claims = AuthProviderClaims(listOf("acr=Level4", "acr=idporten-loa-high"), true) ), AuthProvider( - AzureAd.name, wellKnownUrl, "default", AuthProviderClaims( - listOf( - "NAVident" - ) - ) + name = AzureAd.name, + clientId = "default", + discoveryUrl = wellKnownUrl, + claims = AuthProviderClaims(listOf("NAVident")) ) ) } diff --git a/apps/bekreftelse-api/src/test/kotlin/no/nav/paw/bekreftelse/api/test/KafkaTestDataProducer.kt b/apps/bekreftelse-api/src/test/kotlin/no/nav/paw/bekreftelse/api/test/KafkaTestDataProducer.kt index e124a38a..e712136a 100644 --- a/apps/bekreftelse-api/src/test/kotlin/no/nav/paw/bekreftelse/api/test/KafkaTestDataProducer.kt +++ b/apps/bekreftelse-api/src/test/kotlin/no/nav/paw/bekreftelse/api/test/KafkaTestDataProducer.kt @@ -2,11 +2,13 @@ package no.nav.paw.bekreftelse.api.test import kotlinx.coroutines.launch import kotlinx.coroutines.runBlocking -import no.nav.paw.bekreftelse.api.config.APPLICATION_CONFIG_FILE_NAME +import no.nav.paw.bekreftelse.api.config.APPLICATION_CONFIG import no.nav.paw.bekreftelse.api.config.ApplicationConfig import no.nav.paw.bekreftelse.internehendelser.BekreftelseHendelse import no.nav.paw.bekreftelse.internehendelser.BekreftelseHendelseSerializer import no.nav.paw.config.hoplite.loadNaisOrLocalConfiguration +import no.nav.paw.config.kafka.KAFKA_CONFIG_WITH_SCHEME_REG +import no.nav.paw.config.kafka.KafkaConfig import no.nav.paw.config.kafka.KafkaFactory import no.nav.paw.config.kafka.sendDeferred import org.apache.kafka.clients.producer.Producer @@ -18,8 +20,9 @@ import java.util.* fun main() { - val applicationConfig = loadNaisOrLocalConfiguration(APPLICATION_CONFIG_FILE_NAME) - val kafkaFactory = KafkaFactory(applicationConfig.kafkaClients) + val applicationConfig = loadNaisOrLocalConfiguration(APPLICATION_CONFIG) + val kafkaConfig = loadNaisOrLocalConfiguration(KAFKA_CONFIG_WITH_SCHEME_REG) + val kafkaFactory = KafkaFactory(kafkaConfig) val kafkaProducer = kafkaFactory.createProducer( clientId = "bekreftelse-api-test-kafka-producer", keySerializer = LongSerializer::class, diff --git a/docker/README.md b/docker/README.md new file mode 100644 index 00000000..1f717509 --- /dev/null +++ b/docker/README.md @@ -0,0 +1,45 @@ +# Docker + +## Start containere +```bash +docker compose -f ./postgres/docker-compose.yaml up -d +``` +```bash +docker compose -f ./kafka/docker-compose.yaml up -d +``` +```bash +docker compose -f ./mocks/docker-compose.yaml up -d +``` + +## Stopp containere +```bash +docker compose -f ./postgres/docker-compose.yaml stop +``` +```bash +docker compose -f ./kafka/docker-compose.yaml stop +``` +```bash +docker compose -f ./mocks/docker-compose.yaml stop +``` + +## Slett containere +```bash +docker compose -f ./postgres/docker-compose.yaml rm -s -v -f +``` +```bash +docker compose -f ./kafka/docker-compose.yaml rm -s -v -f +``` +```bash +docker compose -f ./mocks/docker-compose.yaml rm -s -v -f +``` + +## Slette volumer +```bash +docker volume rm postgres +``` +```bash +docker volume rm kafka-data kafka-secrets schema-registry-secrets +``` +```bash +docker compose -f ./mocks/docker-compose.yaml rm -s -v -f +``` diff --git a/lib/kafka-key-generator-client/src/main/kotlin/no/nav/paw/kafkakeygenerator/auth/AzureM2MConfig.kt b/lib/kafka-key-generator-client/src/main/kotlin/no/nav/paw/kafkakeygenerator/auth/AzureM2MConfig.kt index c65fa5da..3f2a6cf2 100644 --- a/lib/kafka-key-generator-client/src/main/kotlin/no/nav/paw/kafkakeygenerator/auth/AzureM2MConfig.kt +++ b/lib/kafka-key-generator-client/src/main/kotlin/no/nav/paw/kafkakeygenerator/auth/AzureM2MConfig.kt @@ -1,5 +1,7 @@ package no.nav.paw.kafkakeygenerator.auth +const val AZURE_M2M_CONFIG = "azure_m2m.toml" + data class AzureM2MConfig( val tokenEndpointUrl: String, val clientId: String diff --git a/lib/kafka-key-generator-client/src/main/kotlin/no/nav/paw/kafkakeygenerator/client/Factory.kt b/lib/kafka-key-generator-client/src/main/kotlin/no/nav/paw/kafkakeygenerator/client/Factory.kt index de38cf71..d9faf55b 100644 --- a/lib/kafka-key-generator-client/src/main/kotlin/no/nav/paw/kafkakeygenerator/client/Factory.kt +++ b/lib/kafka-key-generator-client/src/main/kotlin/no/nav/paw/kafkakeygenerator/client/Factory.kt @@ -1,24 +1,26 @@ package no.nav.paw.kafkakeygenerator.client -import io.ktor.client.* -import io.ktor.client.plugins.contentnegotiation.* -import io.ktor.serialization.jackson.* +import io.ktor.client.HttpClient +import io.ktor.client.plugins.contentnegotiation.ContentNegotiation +import io.ktor.serialization.jackson.jackson import no.nav.common.token_client.client.AzureAdMachineToMachineTokenClient import no.nav.paw.config.env.currentRuntimeEnvironment import no.nav.paw.config.hoplite.loadNaisOrLocalConfiguration +import no.nav.paw.kafkakeygenerator.auth.AZURE_M2M_CONFIG import no.nav.paw.kafkakeygenerator.auth.AzureM2MConfig import no.nav.paw.kafkakeygenerator.auth.azureAdM2MTokenClient fun createKafkaKeyGeneratorClient(m2mTokenClient: AzureAdMachineToMachineTokenClient? = null): KafkaKeysClient { - val kafkaKeyConfig = loadNaisOrLocalConfiguration("kafka_key_generator_client_config.toml") + val kafkaKeyConfig = loadNaisOrLocalConfiguration(KAFKA_KEY_GENERATOR_CLIENT_CONFIG) val m2mTC = m2mTokenClient ?: azureAdM2MTokenClient( currentRuntimeEnvironment, - loadNaisOrLocalConfiguration("azure_m2m.toml") + loadNaisOrLocalConfiguration(AZURE_M2M_CONFIG) ) return kafkaKeysClient(kafkaKeyConfig) { m2mTC.createMachineToMachineToken(kafkaKeyConfig.scope) } } + fun kafkaKeysClient(konfigurasjon: KafkaKeyConfig, m2mTokenFactory: () -> String): KafkaKeysClient = when (konfigurasjon.url) { "MOCK" -> inMemoryKafkaKeysMock() diff --git a/lib/kafka-key-generator-client/src/main/kotlin/no/nav/paw/kafkakeygenerator/client/KafkaKeyConfig.kt b/lib/kafka-key-generator-client/src/main/kotlin/no/nav/paw/kafkakeygenerator/client/KafkaKeyConfig.kt index c05da698..ade3aced 100644 --- a/lib/kafka-key-generator-client/src/main/kotlin/no/nav/paw/kafkakeygenerator/client/KafkaKeyConfig.kt +++ b/lib/kafka-key-generator-client/src/main/kotlin/no/nav/paw/kafkakeygenerator/client/KafkaKeyConfig.kt @@ -1,5 +1,7 @@ package no.nav.paw.kafkakeygenerator.client +const val KAFKA_KEY_GENERATOR_CLIENT_CONFIG = "kafka_key_generator_client_config.toml" + data class KafkaKeyConfig( val url: String, val scope: String diff --git a/lib/security/src/main/kotlin/no/nav/paw/security/authentication/config/SecurityConfig.kt b/lib/security/src/main/kotlin/no/nav/paw/security/authentication/config/SecurityConfig.kt new file mode 100644 index 00000000..f2fedada --- /dev/null +++ b/lib/security/src/main/kotlin/no/nav/paw/security/authentication/config/SecurityConfig.kt @@ -0,0 +1,17 @@ +package no.nav.paw.security.authentication.config + +const val SECURITY_CONFIG = "security_config.toml" + +data class SecurityConfig(val authProviders: List) + +data class AuthProvider( + val name: String, + val clientId: String, + val discoveryUrl: String, + val claims: AuthProviderClaims +) + +data class AuthProviderClaims( + val map: List, + val combineWithOr: Boolean = false +)