diff --git a/apps/bekreftelse-api/src/main/kotlin/no/nav/paw/bekreftelse/api/Application.kt b/apps/bekreftelse-api/src/main/kotlin/no/nav/paw/bekreftelse/api/Application.kt index df222832..fa48cf62 100644 --- a/apps/bekreftelse-api/src/main/kotlin/no/nav/paw/bekreftelse/api/Application.kt +++ b/apps/bekreftelse-api/src/main/kotlin/no/nav/paw/bekreftelse/api/Application.kt @@ -27,7 +27,6 @@ fun main() { val applicationContext = ApplicationContext.create() val appName = applicationContext.serverConfig.runtimeEnvironment.appNameOrDefaultForLocal() - with(applicationContext.serverConfig) { logger.info("Starter $appName med hostname $host og port $port") diff --git a/apps/bekreftelse-api/src/main/kotlin/no/nav/paw/bekreftelse/api/config/ApplicationConfig.kt b/apps/bekreftelse-api/src/main/kotlin/no/nav/paw/bekreftelse/api/config/ApplicationConfig.kt index 790fe1fd..bd420717 100644 --- a/apps/bekreftelse-api/src/main/kotlin/no/nav/paw/bekreftelse/api/config/ApplicationConfig.kt +++ b/apps/bekreftelse-api/src/main/kotlin/no/nav/paw/bekreftelse/api/config/ApplicationConfig.kt @@ -33,4 +33,9 @@ data class DatabaseConfig( val connectionTimeout: Duration = Duration.ofSeconds(30), val idleTimeout: Duration = Duration.ofMinutes(10), val maxLifetime: Duration = Duration.ofMinutes(30) +) + +data class ClientConfig( + val url: String, + val scope: String ) \ No newline at end of file diff --git a/apps/bekreftelse-api/src/main/kotlin/no/nav/paw/bekreftelse/api/config/ServerConfig.kt b/apps/bekreftelse-api/src/main/kotlin/no/nav/paw/bekreftelse/api/config/ServerConfig.kt index 4ca33249..5cb6c116 100644 --- a/apps/bekreftelse-api/src/main/kotlin/no/nav/paw/bekreftelse/api/config/ServerConfig.kt +++ b/apps/bekreftelse-api/src/main/kotlin/no/nav/paw/bekreftelse/api/config/ServerConfig.kt @@ -3,7 +3,7 @@ package no.nav.paw.bekreftelse.api.config import no.nav.paw.config.env.RuntimeEnvironment import no.nav.paw.config.env.currentRuntimeEnvironment -const val SERVER_CONFIG_FILE_NAME = "server_config.toml" +const val SERVER_CONFIG = "server_config.toml" data class ServerConfig( val host: String, diff --git a/apps/bekreftelse-api/src/main/kotlin/no/nav/paw/bekreftelse/api/context/ApplicationContext.kt b/apps/bekreftelse-api/src/main/kotlin/no/nav/paw/bekreftelse/api/context/ApplicationContext.kt index a3cbb012..63a73e66 100644 --- a/apps/bekreftelse-api/src/main/kotlin/no/nav/paw/bekreftelse/api/context/ApplicationContext.kt +++ b/apps/bekreftelse-api/src/main/kotlin/no/nav/paw/bekreftelse/api/context/ApplicationContext.kt @@ -4,8 +4,9 @@ import io.micrometer.prometheusmetrics.PrometheusConfig import io.micrometer.prometheusmetrics.PrometheusMeterRegistry import no.nav.paw.bekreftelse.api.config.APPLICATION_CONFIG import no.nav.paw.bekreftelse.api.config.ApplicationConfig +import no.nav.paw.bekreftelse.api.config.ClientConfig import no.nav.paw.bekreftelse.api.config.POAO_TILGANG_CLIENT_CONFIG -import no.nav.paw.bekreftelse.api.config.SERVER_CONFIG_FILE_NAME +import no.nav.paw.bekreftelse.api.config.SERVER_CONFIG import no.nav.paw.bekreftelse.api.config.ServerConfig import no.nav.paw.bekreftelse.api.handler.KafkaConsumerExceptionHandler import no.nav.paw.bekreftelse.api.producer.BekreftelseKafkaProducer @@ -58,13 +59,13 @@ data class ApplicationContext( ) { companion object { fun create(): ApplicationContext { - val serverConfig = loadNaisOrLocalConfiguration(SERVER_CONFIG_FILE_NAME) + val serverConfig = loadNaisOrLocalConfiguration(SERVER_CONFIG) val applicationConfig = loadNaisOrLocalConfiguration(APPLICATION_CONFIG) val securityConfig = loadNaisOrLocalConfiguration(SECURITY_CONFIG) val kafkaConfig = loadNaisOrLocalConfiguration(KAFKA_CONFIG_WITH_SCHEME_REG) val azureM2MConfig = loadNaisOrLocalConfiguration(AZURE_M2M_CONFIG) val kafkaKeysClientConfig = loadNaisOrLocalConfiguration(KAFKA_KEY_GENERATOR_CLIENT_CONFIG) - val poaoTilgangClientConfig = loadNaisOrLocalConfiguration(POAO_TILGANG_CLIENT_CONFIG) + val poaoTilgangClientConfig = loadNaisOrLocalConfiguration(POAO_TILGANG_CLIENT_CONFIG) val dataSource = createDataSource(applicationConfig.database) diff --git a/apps/bekreftelse-api/src/main/kotlin/no/nav/paw/bekreftelse/api/policy/PoaoTilgangAccessPolicy.kt b/apps/bekreftelse-api/src/main/kotlin/no/nav/paw/bekreftelse/api/policy/PoaoTilgangAccessPolicy.kt index 272db80f..5d5eef2d 100644 --- a/apps/bekreftelse-api/src/main/kotlin/no/nav/paw/bekreftelse/api/policy/PoaoTilgangAccessPolicy.kt +++ b/apps/bekreftelse-api/src/main/kotlin/no/nav/paw/bekreftelse/api/policy/PoaoTilgangAccessPolicy.kt @@ -48,14 +48,14 @@ class PoaoTilgangAccessPolicy( return Deny("Veileder må sende med identitetsnummer for sluttbruker") } - val navAnsattTilgang = poaoTilgangClient.evaluatePolicy( + val result = poaoTilgangClient.evaluatePolicy( NavAnsattTilgangTilEksternBrukerPolicyInput( navAnsattAzureId = bruker.oid, tilgangType = tilgangType, norskIdent = identitetsnummer.verdi ) ) - val tilgang = navAnsattTilgang.get() + val tilgang = result.get() if (tilgang == null) { return Deny("Kunne ikke finne tilgang for ansatt") } else if (tilgang.isDeny) { @@ -66,7 +66,7 @@ class PoaoTilgangAccessPolicy( runtimeEnvironment = serverConfig.runtimeEnvironment, aktorIdent = bruker.ident, sluttbrukerIdent = identitetsnummer.verdi, - tilgangType = tilgangType, + action = action, melding = "NAV-ansatt har benyttet $tilgangType-tilgang til informasjon om sluttbruker" ) return Permit("Veileder har $tilgangType-tilgang til sluttbruker") @@ -74,10 +74,10 @@ class PoaoTilgangAccessPolicy( } is M2MToken -> { - if (identitetsnummer == null) { - return Deny("M2M-token må sende med identitetsnummer for sluttbruker") + if (identitetsnummer != null) { + return Permit("M2M-token har $tilgangType-tilgang til sluttbruker") } - return Permit("M2M-token har $tilgangType-tilgang til sluttbruker") + return Deny("M2M-token må sende med identitetsnummer for sluttbruker") } else -> { diff --git a/apps/bekreftelse-api/src/main/kotlin/no/nav/paw/bekreftelse/api/utils/Logging.kt b/apps/bekreftelse-api/src/main/kotlin/no/nav/paw/bekreftelse/api/utils/Logging.kt index ca5d0c09..3dff904c 100644 --- a/apps/bekreftelse-api/src/main/kotlin/no/nav/paw/bekreftelse/api/utils/Logging.kt +++ b/apps/bekreftelse-api/src/main/kotlin/no/nav/paw/bekreftelse/api/utils/Logging.kt @@ -5,7 +5,7 @@ import no.nav.common.audit_log.cef.CefMessageEvent import no.nav.common.audit_log.cef.CefMessageSeverity import no.nav.paw.config.env.RuntimeEnvironment import no.nav.paw.config.env.appNameOrDefaultForLocal -import no.nav.poao_tilgang.client.TilgangType +import no.nav.paw.security.authorization.model.Action import org.slf4j.Logger import org.slf4j.LoggerFactory @@ -19,12 +19,12 @@ fun Logger.audit( runtimeEnvironment: RuntimeEnvironment, aktorIdent: String, sluttbrukerIdent: String, - tilgangType: TilgangType, + action: Action, melding: String, ) { val message = CefMessage.builder() .applicationName(runtimeEnvironment.appNameOrDefaultForLocal()) - .event(if (tilgangType == TilgangType.LESE) CefMessageEvent.ACCESS else CefMessageEvent.UPDATE) + .event(if (action == Action.READ) CefMessageEvent.ACCESS else CefMessageEvent.UPDATE) .name("Sporingslogg") .severity(CefMessageSeverity.INFO) .sourceUserId(aktorIdent) diff --git a/apps/bekreftelse-api/src/main/resources/nais/security_config.toml b/apps/bekreftelse-api/src/main/resources/nais/security_config.toml index a1acdee5..1de810bb 100644 --- a/apps/bekreftelse-api/src/main/resources/nais/security_config.toml +++ b/apps/bekreftelse-api/src/main/resources/nais/security_config.toml @@ -1,15 +1,15 @@ [[authProviders]] name = "idporten" -discoveryUrl = "${IDPORTEN_WELL_KNOWN_URL} clientId = "${IDPORTEN_CLIENT_ID}" +discoveryUrl = "${IDPORTEN_WELL_KNOWN_URL} [authProviders.claims] map = ["acr=idporten-loa-high"] [[authProviders]] name = "tokenx" -discoveryUrl = "${TOKEN_X_WELL_KNOWN_URL}" clientId = "${TOKEN_X_CLIENT_ID}" +discoveryUrl = "${TOKEN_X_WELL_KNOWN_URL}" [authProviders.claims] map = ["acr=Level4", "acr=idporten-loa-high"] @@ -17,8 +17,8 @@ clientId = "${TOKEN_X_CLIENT_ID}" [[authProviders]] name = "azure" -discoveryUrl = "${AZURE_APP_WELL_KNOWN_URL}" clientId = "${AZURE_APP_CLIENT_ID}" +discoveryUrl = "${AZURE_APP_WELL_KNOWN_URL}" [authProviders.claims] map = ["NAVident"] diff --git a/apps/bekreftelse-api/src/test/kotlin/no/nav/paw/bekreftelse/api/test/ApplicationTestContext.kt b/apps/bekreftelse-api/src/test/kotlin/no/nav/paw/bekreftelse/api/test/ApplicationTestContext.kt index 6b3f6ad8..6fd606f9 100644 --- a/apps/bekreftelse-api/src/test/kotlin/no/nav/paw/bekreftelse/api/test/ApplicationTestContext.kt +++ b/apps/bekreftelse-api/src/test/kotlin/no/nav/paw/bekreftelse/api/test/ApplicationTestContext.kt @@ -10,7 +10,7 @@ import io.micrometer.prometheusmetrics.PrometheusMeterRegistry import io.mockk.mockk import no.nav.paw.bekreftelse.api.config.APPLICATION_CONFIG import no.nav.paw.bekreftelse.api.config.ApplicationConfig -import no.nav.paw.bekreftelse.api.config.SERVER_CONFIG_FILE_NAME +import no.nav.paw.bekreftelse.api.config.SERVER_CONFIG import no.nav.paw.bekreftelse.api.config.ServerConfig import no.nav.paw.bekreftelse.api.context.ApplicationContext import no.nav.paw.bekreftelse.api.handler.KafkaConsumerExceptionHandler @@ -50,7 +50,7 @@ import javax.sql.DataSource class ApplicationTestContext { - val serverConfig = loadNaisOrLocalConfiguration(SERVER_CONFIG_FILE_NAME) + val serverConfig = loadNaisOrLocalConfiguration(SERVER_CONFIG) val applicationConfig = loadNaisOrLocalConfiguration(APPLICATION_CONFIG) val securityConfig = loadNaisOrLocalConfiguration(SECURITY_CONFIG) val dataSource = createTestDataSource() @@ -120,30 +120,6 @@ class ApplicationTestContext { } } - private fun MockOAuth2Server.createAuthProviders(): List { - val wellKnownUrl = wellKnownUrl("default").toString() - return listOf( - AuthProvider( - name = IdPorten.name, - clientId = "default", - discoveryUrl = wellKnownUrl, - claims = AuthProviderClaims(listOf("acr=idporten-loa-high")) - ), - AuthProvider( - name = TokenX.name, - clientId = "default", - discoveryUrl = wellKnownUrl, - claims = AuthProviderClaims(listOf("acr=Level4", "acr=idporten-loa-high"), true) - ), - AuthProvider( - name = AzureAd.name, - clientId = "default", - discoveryUrl = wellKnownUrl, - claims = AuthProviderClaims(listOf("NAVident")) - ) - ) - } - private fun createTestDataSource(): DataSource { val postgres = postgresContainer() val databaseConfig = postgres.let { diff --git a/apps/bekreftelse-api/src/test/kotlin/no/nav/paw/bekreftelse/api/test/TokenTestUtils.kt b/apps/bekreftelse-api/src/test/kotlin/no/nav/paw/bekreftelse/api/test/TokenTestUtils.kt index 1b0607a5..d09b0981 100644 --- a/apps/bekreftelse-api/src/test/kotlin/no/nav/paw/bekreftelse/api/test/TokenTestUtils.kt +++ b/apps/bekreftelse-api/src/test/kotlin/no/nav/paw/bekreftelse/api/test/TokenTestUtils.kt @@ -1,6 +1,11 @@ package no.nav.paw.bekreftelse.api.test import com.nimbusds.jwt.SignedJWT +import no.nav.paw.security.authentication.config.AuthProvider +import no.nav.paw.security.authentication.config.AuthProviderClaims +import no.nav.paw.security.authentication.token.AzureAd +import no.nav.paw.security.authentication.token.IdPorten +import no.nav.paw.security.authentication.token.TokenX import no.nav.security.mock.oauth2.MockOAuth2Server import java.util.* @@ -41,3 +46,27 @@ fun MockOAuth2Server.issueAzureM2MToken( ) ) } + +fun MockOAuth2Server.createAuthProviders(): List { + val wellKnownUrl = wellKnownUrl("default").toString() + return listOf( + AuthProvider( + name = IdPorten.name, + clientId = "default", + discoveryUrl = wellKnownUrl, + claims = AuthProviderClaims(listOf("acr=idporten-loa-high")) + ), + AuthProvider( + name = TokenX.name, + clientId = "default", + discoveryUrl = wellKnownUrl, + claims = AuthProviderClaims(listOf("acr=Level4", "acr=idporten-loa-high"), true) + ), + AuthProvider( + name = AzureAd.name, + clientId = "default", + discoveryUrl = wellKnownUrl, + claims = AuthProviderClaims(listOf("NAVident")) + ) + ) +} diff --git a/lib/security/src/test/kotlin/no/nav/paw/security/test/TestApplicationContext.kt b/lib/security/src/test/kotlin/no/nav/paw/security/test/TestApplicationContext.kt index 369f13a1..38aa3234 100644 --- a/lib/security/src/test/kotlin/no/nav/paw/security/test/TestApplicationContext.kt +++ b/lib/security/src/test/kotlin/no/nav/paw/security/test/TestApplicationContext.kt @@ -104,13 +104,13 @@ class TestApplicationContext { IssuerConfig( name = authProvider.name, discoveryUrl = authProvider.discoveryUrl, - acceptedAudience = authProvider.acceptedAudience + acceptedAudience = listOf(authProvider.clientId) ) ), requiredClaims = RequiredClaims( authProvider.name, - authProvider.claimMap, - authProvider.combineWithOr + authProvider.claims.map.toTypedArray(), + authProvider.claims.combineWithOr ) ) } diff --git a/lib/security/src/test/kotlin/no/nav/paw/security/test/TokenTestUtils.kt b/lib/security/src/test/kotlin/no/nav/paw/security/test/TokenTestUtils.kt index 25456410..f8ae7882 100644 --- a/lib/security/src/test/kotlin/no/nav/paw/security/test/TokenTestUtils.kt +++ b/lib/security/src/test/kotlin/no/nav/paw/security/test/TokenTestUtils.kt @@ -1,5 +1,7 @@ package no.nav.paw.security.test +import no.nav.paw.security.authentication.config.AuthProvider +import no.nav.paw.security.authentication.config.AuthProviderClaims import no.nav.security.mock.oauth2.MockOAuth2Server import java.util.* @@ -57,24 +59,15 @@ fun MockOAuth2Server.getAuthProviders(): List { val issuerId = "default" val wellKnownUrl = wellKnownUrl(issuerId).toString() return listOf( - "idporten" to arrayOf("acr=idporten-loa-high"), - "tokenx" to arrayOf("acr=idporten-loa-high"), - "azure" to arrayOf("NAVident") + "idporten" to listOf("acr=idporten-loa-high"), + "tokenx" to listOf("acr=idporten-loa-high"), + "azure" to listOf("NAVident") ).map { AuthProvider( name = it.first, + clientId = issuerId, discoveryUrl = wellKnownUrl, - acceptedAudience = listOf(issuerId), - claimMap = it.second, - combineWithOr = true + claims = AuthProviderClaims(map = it.second, combineWithOr = true) ) } } - -data class AuthProvider( - val name: String, - val discoveryUrl: String, - val acceptedAudience: List, - val claimMap: Array, - val combineWithOr: Boolean -)