From bd7b179b359cb9a97d67103e731d0c746e2dd478 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Odd=20Andreas=20S=C3=B8rs=C3=A6ther?=
 <oddsor@users.noreply.github.com>
Date: Fri, 23 Feb 2024 14:45:26 +0100
Subject: [PATCH] Oppgrader spring-boot etc
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Kritiske sårbarheter ble oppdaget i flere pakker.
---
 pom.xml                                          | 16 +++++-----------
 .../tiltakrefusjon/AuditLoggingFilter.kt         |  2 +-
 .../SecurityClientConfiguration.kt               |  4 ++--
 .../autorisering/InnloggetBrukerService.kt       | 14 ++++++++------
 4 files changed, 16 insertions(+), 20 deletions(-)

diff --git a/pom.xml b/pom.xml
index f37ebf52..1becfe6a 100644
--- a/pom.xml
+++ b/pom.xml
@@ -5,7 +5,7 @@
     <parent>
         <groupId>org.springframework.boot</groupId>
         <artifactId>spring-boot-starter-parent</artifactId>
-        <version>3.1.0</version>
+        <version>3.2.2</version>
         <relativePath/> <!-- lookup parent from repository -->
     </parent>
     <groupId>no.nav.arbeidsgiver</groupId>
@@ -16,7 +16,7 @@
         <java.version>17</java.version>
         <kotlin.version>1.8.10</kotlin.version>
         <cucumber.version>6.4.0</cucumber.version>
-        <token-support.version>3.1.0</token-support.version>
+        <token-support.version>4.1.3</token-support.version>
     </properties>
 
     <dependencies>
@@ -94,7 +94,7 @@
         <dependency>
             <groupId>de.monochromata.cucumber</groupId>
             <artifactId>reporting-plugin</artifactId>
-            <version>4.0.70</version>
+            <version>5.0.0</version>
             <scope>test</scope>
         </dependency>
         <!-- Database -->
@@ -114,6 +114,7 @@
         <dependency>
             <groupId>org.postgresql</groupId>
             <artifactId>postgresql</artifactId>
+            <version>42.7.2</version>
         </dependency>
         <!--Tokensupport -->
         <dependency>
@@ -167,7 +168,7 @@
         <dependency>
             <groupId>org.springframework.cloud</groupId>
             <artifactId>spring-cloud-starter-contract-stub-runner</artifactId>
-            <version>2.2.5.RELEASE</version>
+            <version>4.1.1</version>
         </dependency>
 
         <dependency>
@@ -176,13 +177,6 @@
             <version>8.2.0</version>
         </dependency>
 
-        <dependency>
-            <groupId>org.awaitility</groupId>
-            <artifactId>awaitility-kotlin</artifactId>
-            <version>4.0.3</version>
-            <scope>test</scope>
-        </dependency>
-
         <dependency>
             <groupId>io.micrometer</groupId>
             <artifactId>micrometer-registry-prometheus</artifactId>
diff --git a/src/main/kotlin/no/nav/arbeidsgiver/tiltakrefusjon/AuditLoggingFilter.kt b/src/main/kotlin/no/nav/arbeidsgiver/tiltakrefusjon/AuditLoggingFilter.kt
index 4a74df8e..58d19a92 100644
--- a/src/main/kotlin/no/nav/arbeidsgiver/tiltakrefusjon/AuditLoggingFilter.kt
+++ b/src/main/kotlin/no/nav/arbeidsgiver/tiltakrefusjon/AuditLoggingFilter.kt
@@ -47,7 +47,7 @@ class AuditLoggingFilter(
             try {
                 val fnr: List<String> = JsonPath.read<List<String>?>(wrapper.contentInputStream, "$..deltakerFnr").distinct()
                 val utførtTid = Now.instant()
-                val brukerId = context.tokenValidationContext.getClaims("tokenx")?.getStringClaim("pid") ?: context.tokenValidationContext.getClaims("aad")?.getStringClaim("NAVident")
+                val brukerId = context.getTokenValidationContext().getClaims("tokenx").getStringClaim("pid") ?: context.getTokenValidationContext().getClaims("aad").getStringClaim("NAVident")
 
                 val uri = URI.create(request.requestURI)
                 // Logger kun oppslag dersom en innlogget bruker utførte oppslaget
diff --git a/src/main/kotlin/no/nav/arbeidsgiver/tiltakrefusjon/SecurityClientConfiguration.kt b/src/main/kotlin/no/nav/arbeidsgiver/tiltakrefusjon/SecurityClientConfiguration.kt
index 3648dc4a..6f1de94b 100644
--- a/src/main/kotlin/no/nav/arbeidsgiver/tiltakrefusjon/SecurityClientConfiguration.kt
+++ b/src/main/kotlin/no/nav/arbeidsgiver/tiltakrefusjon/SecurityClientConfiguration.kt
@@ -45,10 +45,10 @@ class SecurityClientConfiguration(
     private fun bearerTokenInterceptor(
             clientProperties: ClientProperties,
             oAuth2AccessTokenService: OAuth2AccessTokenService
-    ): ClientHttpRequestInterceptor? {
+    ): ClientHttpRequestInterceptor {
         return ClientHttpRequestInterceptor { request: HttpRequest, body: ByteArray?, execution: ClientHttpRequestExecution ->
             val response = oAuth2AccessTokenService.getAccessToken(clientProperties)
-            request.headers.setBearerAuth(response.accessToken)
+            request.headers.setBearerAuth(response.accessToken!!)
             execution.execute(request, body!!)
         }
     }
diff --git a/src/main/kotlin/no/nav/arbeidsgiver/tiltakrefusjon/autorisering/InnloggetBrukerService.kt b/src/main/kotlin/no/nav/arbeidsgiver/tiltakrefusjon/autorisering/InnloggetBrukerService.kt
index ce609da5..2a24d87e 100644
--- a/src/main/kotlin/no/nav/arbeidsgiver/tiltakrefusjon/autorisering/InnloggetBrukerService.kt
+++ b/src/main/kotlin/no/nav/arbeidsgiver/tiltakrefusjon/autorisering/InnloggetBrukerService.kt
@@ -30,15 +30,15 @@ class InnloggetBrukerService(
     var logger: Logger = LoggerFactory.getLogger(javaClass)
 
     fun erArbeidsgiver(): Boolean {
-        return context.tokenValidationContext.hasTokenFor("tokenx")
+        return context.getTokenValidationContext().hasTokenFor("tokenx")
     }
 
     fun erSaksbehandler(): Boolean {
-        return context.tokenValidationContext.hasTokenFor("aad")
+        return context.getTokenValidationContext().hasTokenFor("aad")
     }
 
     fun erBeslutter(): Boolean {
-        val groupClaim  = context.tokenValidationContext.getClaims("aad").get("groups") as List<String>
+        val groupClaim = context.getTokenValidationContext().getClaims("aad").get("groups") as List<String>
         return erSaksbehandler() && groupClaim.contains(beslutterRolleConfig.id)
     }
 
@@ -47,11 +47,11 @@ class InnloggetBrukerService(
     }
 
     fun navIdent(): String {
-        return context.tokenValidationContext.getClaims("aad").getStringClaim("NAVident")
+        return context.getTokenValidationContext().getClaims("aad").getStringClaim("NAVident")
     }
 
     fun displayName(): String {
-        val displayNameClaim = context.tokenValidationContext.getClaims("aad").get("name")
+        val displayNameClaim = context.getTokenValidationContext().getClaims("aad").get("name")
         if (displayNameClaim != null) {
             return displayNameClaim as String
         }
@@ -61,9 +61,10 @@ class InnloggetBrukerService(
     fun hentInnloggetArbeidsgiver(): InnloggetArbeidsgiver {
         return when {
             erArbeidsgiver() -> {
-                val fnr = Fnr(context.tokenValidationContext.getClaims("tokenx").getStringClaim("pid"))
+                val fnr = Fnr(context.getTokenValidationContext().getClaims("tokenx").getStringClaim("pid"))
                 InnloggetArbeidsgiver(fnr.verdi, altinnTilgangsstyringService, refusjonRepository, korreksjonRepository, refusjonService, eregClient)
             }
+
             else -> {
                 throw RuntimeException("Feil ved token, kunne ikke identifisere arbeidsgiver")
             }
@@ -86,6 +87,7 @@ class InnloggetBrukerService(
                     norgeService = norgService
                 )
             }
+
             else -> {
                 throw RuntimeException("Feil ved token, kunne ikke identifisere saksbehandler")
             }