Fikset bygg

navikt · Nov 4, 2024 · 454ed61 · 454ed61
1 parent d3f3c4d
commit 454ed61
Show file tree

Hide file tree

Showing 11 changed files with 63 additions and 60 deletions.
diff --git a/apps/bekreftelse-api/src/main/kotlin/no/nav/paw/bekreftelse/api/Application.kt b/apps/bekreftelse-api/src/main/kotlin/no/nav/paw/bekreftelse/api/Application.kt
@@ -27,7 +27,6 @@ fun main() {
     val applicationContext = ApplicationContext.create()
     val appName = applicationContext.serverConfig.runtimeEnvironment.appNameOrDefaultForLocal()
 
-
     with(applicationContext.serverConfig) {
         logger.info("Starter $appName med hostname $host og port $port")
 

diff --git a/apps/bekreftelse-api/src/main/kotlin/no/nav/paw/bekreftelse/api/config/ApplicationConfig.kt b/apps/bekreftelse-api/src/main/kotlin/no/nav/paw/bekreftelse/api/config/ApplicationConfig.kt
@@ -33,4 +33,9 @@ data class DatabaseConfig(
     val connectionTimeout: Duration = Duration.ofSeconds(30),
     val idleTimeout: Duration = Duration.ofMinutes(10),
     val maxLifetime: Duration = Duration.ofMinutes(30)
+)
+
+data class ClientConfig(
+    val url: String,
+    val scope: String
 )
diff --git a/apps/bekreftelse-api/src/main/kotlin/no/nav/paw/bekreftelse/api/config/ServerConfig.kt b/apps/bekreftelse-api/src/main/kotlin/no/nav/paw/bekreftelse/api/config/ServerConfig.kt
@@ -3,7 +3,7 @@ package no.nav.paw.bekreftelse.api.config
 import no.nav.paw.config.env.RuntimeEnvironment
 import no.nav.paw.config.env.currentRuntimeEnvironment
 
-const val SERVER_CONFIG_FILE_NAME = "server_config.toml"
+const val SERVER_CONFIG = "server_config.toml"
 
 data class ServerConfig(
     val host: String,

diff --git a/.../bekreftelse-api/src/main/kotlin/no/nav/paw/bekreftelse/api/context/ApplicationContext.kt b/.../bekreftelse-api/src/main/kotlin/no/nav/paw/bekreftelse/api/context/ApplicationContext.kt
@@ -4,8 +4,9 @@ import io.micrometer.prometheusmetrics.PrometheusConfig
 import io.micrometer.prometheusmetrics.PrometheusMeterRegistry
 import no.nav.paw.bekreftelse.api.config.APPLICATION_CONFIG
 import no.nav.paw.bekreftelse.api.config.ApplicationConfig
+import no.nav.paw.bekreftelse.api.config.ClientConfig
 import no.nav.paw.bekreftelse.api.config.POAO_TILGANG_CLIENT_CONFIG
-import no.nav.paw.bekreftelse.api.config.SERVER_CONFIG_FILE_NAME
+import no.nav.paw.bekreftelse.api.config.SERVER_CONFIG
 import no.nav.paw.bekreftelse.api.config.ServerConfig
 import no.nav.paw.bekreftelse.api.handler.KafkaConsumerExceptionHandler
 import no.nav.paw.bekreftelse.api.producer.BekreftelseKafkaProducer
@@ -58,13 +59,13 @@ data class ApplicationContext(
 ) {
     companion object {
         fun create(): ApplicationContext {
-            val serverConfig = loadNaisOrLocalConfiguration<ServerConfig>(SERVER_CONFIG_FILE_NAME)
+            val serverConfig = loadNaisOrLocalConfiguration<ServerConfig>(SERVER_CONFIG)
             val applicationConfig = loadNaisOrLocalConfiguration<ApplicationConfig>(APPLICATION_CONFIG)
             val securityConfig = loadNaisOrLocalConfiguration<SecurityConfig>(SECURITY_CONFIG)
             val kafkaConfig = loadNaisOrLocalConfiguration<KafkaConfig>(KAFKA_CONFIG_WITH_SCHEME_REG)
             val azureM2MConfig = loadNaisOrLocalConfiguration<AzureM2MConfig>(AZURE_M2M_CONFIG)
             val kafkaKeysClientConfig = loadNaisOrLocalConfiguration<KafkaKeyConfig>(KAFKA_KEY_GENERATOR_CLIENT_CONFIG)
-            val poaoTilgangClientConfig = loadNaisOrLocalConfiguration<KafkaKeyConfig>(POAO_TILGANG_CLIENT_CONFIG)
+            val poaoTilgangClientConfig = loadNaisOrLocalConfiguration<ClientConfig>(POAO_TILGANG_CLIENT_CONFIG)
 
             val dataSource = createDataSource(applicationConfig.database)
 

diff --git a/...reftelse-api/src/main/kotlin/no/nav/paw/bekreftelse/api/policy/PoaoTilgangAccessPolicy.kt b/...reftelse-api/src/main/kotlin/no/nav/paw/bekreftelse/api/policy/PoaoTilgangAccessPolicy.kt
@@ -48,14 +48,14 @@ class PoaoTilgangAccessPolicy(
                     return Deny("Veileder må sende med identitetsnummer for sluttbruker")
                 }
 
-                val navAnsattTilgang = poaoTilgangClient.evaluatePolicy(
+                val result = poaoTilgangClient.evaluatePolicy(
                     NavAnsattTilgangTilEksternBrukerPolicyInput(
                         navAnsattAzureId = bruker.oid,
                         tilgangType = tilgangType,
                         norskIdent = identitetsnummer.verdi
                     )
                 )
-                val tilgang = navAnsattTilgang.get()
+                val tilgang = result.get()
                 if (tilgang == null) {
                     return Deny("Kunne ikke finne tilgang for ansatt")
                 } else if (tilgang.isDeny) {
@@ -66,18 +66,18 @@ class PoaoTilgangAccessPolicy(
                         runtimeEnvironment = serverConfig.runtimeEnvironment,
                         aktorIdent = bruker.ident,
                         sluttbrukerIdent = identitetsnummer.verdi,
-                        tilgangType = tilgangType,
+                        action = action,
                         melding = "NAV-ansatt har benyttet $tilgangType-tilgang til informasjon om sluttbruker"
                     )
                     return Permit("Veileder har $tilgangType-tilgang til sluttbruker")
                 }
             }
 
             is M2MToken -> {
-                if (identitetsnummer == null) {
-                    return Deny("M2M-token må sende med identitetsnummer for sluttbruker")
+                if (identitetsnummer != null) {
+                    return Permit("M2M-token har $tilgangType-tilgang til sluttbruker")
                 }
-                return Permit("M2M-token har $tilgangType-tilgang til sluttbruker")
+                return Deny("M2M-token må sende med identitetsnummer for sluttbruker")
             }
 
             else -> {

diff --git a/apps/bekreftelse-api/src/main/kotlin/no/nav/paw/bekreftelse/api/utils/Logging.kt b/apps/bekreftelse-api/src/main/kotlin/no/nav/paw/bekreftelse/api/utils/Logging.kt
@@ -5,7 +5,7 @@ import no.nav.common.audit_log.cef.CefMessageEvent
 import no.nav.common.audit_log.cef.CefMessageSeverity
 import no.nav.paw.config.env.RuntimeEnvironment
 import no.nav.paw.config.env.appNameOrDefaultForLocal
-import no.nav.poao_tilgang.client.TilgangType
+import no.nav.paw.security.authorization.model.Action
 import org.slf4j.Logger
 import org.slf4j.LoggerFactory
 
@@ -19,12 +19,12 @@ fun Logger.audit(
     runtimeEnvironment: RuntimeEnvironment,
     aktorIdent: String,
     sluttbrukerIdent: String,
-    tilgangType: TilgangType,
+    action: Action,
     melding: String,
 ) {
     val message = CefMessage.builder()
         .applicationName(runtimeEnvironment.appNameOrDefaultForLocal())
-        .event(if (tilgangType == TilgangType.LESE) CefMessageEvent.ACCESS else CefMessageEvent.UPDATE)
+        .event(if (action == Action.READ) CefMessageEvent.ACCESS else CefMessageEvent.UPDATE)
         .name("Sporingslogg")
         .severity(CefMessageSeverity.INFO)
         .sourceUserId(aktorIdent)

diff --git a/apps/bekreftelse-api/src/main/resources/nais/security_config.toml b/apps/bekreftelse-api/src/main/resources/nais/security_config.toml
@@ -1,24 +1,24 @@
 [[authProviders]]
 name = "idporten"
-discoveryUrl = "${IDPORTEN_WELL_KNOWN_URL}
 clientId = "${IDPORTEN_CLIENT_ID}"
+discoveryUrl = "${IDPORTEN_WELL_KNOWN_URL}
 
     [authProviders.claims]
     map = ["acr=idporten-loa-high"]
 
 [[authProviders]]
 name = "tokenx"
-discoveryUrl = "${TOKEN_X_WELL_KNOWN_URL}"
 clientId = "${TOKEN_X_CLIENT_ID}"
+discoveryUrl = "${TOKEN_X_WELL_KNOWN_URL}"
 
     [authProviders.claims]
     map = ["acr=Level4", "acr=idporten-loa-high"]
     combineWithOr = true
 
 [[authProviders]]
 name = "azure"
-discoveryUrl = "${AZURE_APP_WELL_KNOWN_URL}"
 clientId = "${AZURE_APP_CLIENT_ID}"
+discoveryUrl = "${AZURE_APP_WELL_KNOWN_URL}"
 
     [authProviders.claims]
     map = ["NAVident"]
diff --git a/...bekreftelse-api/src/test/kotlin/no/nav/paw/bekreftelse/api/test/ApplicationTestContext.kt b/...bekreftelse-api/src/test/kotlin/no/nav/paw/bekreftelse/api/test/ApplicationTestContext.kt
@@ -10,7 +10,7 @@ import io.micrometer.prometheusmetrics.PrometheusMeterRegistry
 import io.mockk.mockk
 import no.nav.paw.bekreftelse.api.config.APPLICATION_CONFIG
 import no.nav.paw.bekreftelse.api.config.ApplicationConfig
-import no.nav.paw.bekreftelse.api.config.SERVER_CONFIG_FILE_NAME
+import no.nav.paw.bekreftelse.api.config.SERVER_CONFIG
 import no.nav.paw.bekreftelse.api.config.ServerConfig
 import no.nav.paw.bekreftelse.api.context.ApplicationContext
 import no.nav.paw.bekreftelse.api.handler.KafkaConsumerExceptionHandler
@@ -50,7 +50,7 @@ import javax.sql.DataSource
 
 class ApplicationTestContext {
 
-    val serverConfig = loadNaisOrLocalConfiguration<ServerConfig>(SERVER_CONFIG_FILE_NAME)
+    val serverConfig = loadNaisOrLocalConfiguration<ServerConfig>(SERVER_CONFIG)
     val applicationConfig = loadNaisOrLocalConfiguration<ApplicationConfig>(APPLICATION_CONFIG)
     val securityConfig = loadNaisOrLocalConfiguration<SecurityConfig>(SECURITY_CONFIG)
     val dataSource = createTestDataSource()
@@ -120,30 +120,6 @@ class ApplicationTestContext {
         }
     }
 
-    private fun MockOAuth2Server.createAuthProviders(): List<AuthProvider> {
-        val wellKnownUrl = wellKnownUrl("default").toString()
-        return listOf(
-            AuthProvider(
-                name = IdPorten.name,
-                clientId = "default",
-                discoveryUrl = wellKnownUrl,
-                claims = AuthProviderClaims(listOf("acr=idporten-loa-high"))
-            ),
-            AuthProvider(
-                name = TokenX.name,
-                clientId = "default",
-                discoveryUrl = wellKnownUrl,
-                claims = AuthProviderClaims(listOf("acr=Level4", "acr=idporten-loa-high"), true)
-            ),
-            AuthProvider(
-                name = AzureAd.name,
-                clientId = "default",
-                discoveryUrl = wellKnownUrl,
-                claims = AuthProviderClaims(listOf("NAVident"))
-            )
-        )
-    }
-
     private fun createTestDataSource(): DataSource {
         val postgres = postgresContainer()
         val databaseConfig = postgres.let {

diff --git a/apps/bekreftelse-api/src/test/kotlin/no/nav/paw/bekreftelse/api/test/TokenTestUtils.kt b/apps/bekreftelse-api/src/test/kotlin/no/nav/paw/bekreftelse/api/test/TokenTestUtils.kt
@@ -1,6 +1,11 @@
 package no.nav.paw.bekreftelse.api.test
 
 import com.nimbusds.jwt.SignedJWT
+import no.nav.paw.security.authentication.config.AuthProvider
+import no.nav.paw.security.authentication.config.AuthProviderClaims
+import no.nav.paw.security.authentication.token.AzureAd
+import no.nav.paw.security.authentication.token.IdPorten
+import no.nav.paw.security.authentication.token.TokenX
 import no.nav.security.mock.oauth2.MockOAuth2Server
 import java.util.*
 
@@ -41,3 +46,27 @@ fun MockOAuth2Server.issueAzureM2MToken(
         )
     )
 }
+
+fun MockOAuth2Server.createAuthProviders(): List<AuthProvider> {
+    val wellKnownUrl = wellKnownUrl("default").toString()
+    return listOf(
+        AuthProvider(
+            name = IdPorten.name,
+            clientId = "default",
+            discoveryUrl = wellKnownUrl,
+            claims = AuthProviderClaims(listOf("acr=idporten-loa-high"))
+        ),
+        AuthProvider(
+            name = TokenX.name,
+            clientId = "default",
+            discoveryUrl = wellKnownUrl,
+            claims = AuthProviderClaims(listOf("acr=Level4", "acr=idporten-loa-high"), true)
+        ),
+        AuthProvider(
+            name = AzureAd.name,
+            clientId = "default",
+            discoveryUrl = wellKnownUrl,
+            claims = AuthProviderClaims(listOf("NAVident"))
+        )
+    )
+}
diff --git a/lib/security/src/test/kotlin/no/nav/paw/security/test/TestApplicationContext.kt b/lib/security/src/test/kotlin/no/nav/paw/security/test/TestApplicationContext.kt
@@ -104,13 +104,13 @@ class TestApplicationContext {
                         IssuerConfig(
                             name = authProvider.name,
                             discoveryUrl = authProvider.discoveryUrl,
-                            acceptedAudience = authProvider.acceptedAudience
+                            acceptedAudience = listOf(authProvider.clientId)
                         )
                     ),
                     requiredClaims = RequiredClaims(
                         authProvider.name,
-                        authProvider.claimMap,
-                        authProvider.combineWithOr
+                        authProvider.claims.map.toTypedArray(),
+                        authProvider.claims.combineWithOr
                     )
                 )
             }

diff --git a/lib/security/src/test/kotlin/no/nav/paw/security/test/TokenTestUtils.kt b/lib/security/src/test/kotlin/no/nav/paw/security/test/TokenTestUtils.kt
@@ -1,5 +1,7 @@
 package no.nav.paw.security.test
 
+import no.nav.paw.security.authentication.config.AuthProvider
+import no.nav.paw.security.authentication.config.AuthProviderClaims
 import no.nav.security.mock.oauth2.MockOAuth2Server
 import java.util.*
 
@@ -57,24 +59,15 @@ fun MockOAuth2Server.getAuthProviders(): List<AuthProvider> {
     val issuerId = "default"
     val wellKnownUrl = wellKnownUrl(issuerId).toString()
     return listOf(
-        "idporten" to arrayOf("acr=idporten-loa-high"),
-        "tokenx" to arrayOf("acr=idporten-loa-high"),
-        "azure" to arrayOf("NAVident")
+        "idporten" to listOf("acr=idporten-loa-high"),
+        "tokenx" to listOf("acr=idporten-loa-high"),
+        "azure" to listOf("NAVident")
     ).map {
         AuthProvider(
             name = it.first,
+            clientId = issuerId,
             discoveryUrl = wellKnownUrl,
-            acceptedAudience = listOf(issuerId),
-            claimMap = it.second,
-            combineWithOr = true
+            claims = AuthProviderClaims(map = it.second, combineWithOr = true)
         )
     }
 }
-
-data class AuthProvider(
-    val name: String,
-    val discoveryUrl: String,
-    val acceptedAudience: List<String>,
-    val claimMap: Array<String>,
-    val combineWithOr: Boolean
-)