Merge pull request #274 from navikt/dev

Prodsette: Ta i bruk poao-tilgang (bak feature-toggle)

nais-dev.yaml

@@ -100,3 +100,7 @@ spec:
       value: 98a17237-0bfc-496e-ba28-cdb320960257
     - name: POAO_TILGANG_CLIENT_ID
       value: 986c77da-3cfa-4a9e-b11d-b3d193ada8cd
+    - name: POAO_TILGANG_URL
+      value: https://poao-tilgang.dev.intern.nav.no
+    - name: POAO_TILGANG_SCOPE
+      value: api://dev-gcp.poao.poao-tilgang/.default

nais-prod.yaml

@@ -97,3 +97,7 @@ spec:
       value: 4bc6277f-7c25-49b9-803f-a9873995889f
     - name: POAO_TILGANG_CLIENT_ID
       value: b345dcb8-d4f8-41fc-9d4e-bc169c04145b
+    - name: POAO_TILGANG_URL
+      value: https://poao-tilgang.intern.nav.no
+    - name: POAO_TILGANG_SCOPE
+      value: api://prod-gcp.poao.poao-tilgang/.default

pom.xml

@@ -187,6 +187,11 @@
             <artifactId>health</artifactId>
             <version>${common.version}</version>
         </dependency>
+		<dependency>
+			<groupId>com.github.navikt.poao-tilgang</groupId>
+			<artifactId>client</artifactId>
+			<version>2023.03.17_11.36-31ab7c6e4216</version>
+		</dependency>
 
         <!-- Tjenestespesifikasjoner -->
         <dependency>

src/main/java/no/nav/veilarbarena/config/ApplicationConfig.java

@@ -1,5 +1,7 @@
 package no.nav.veilarbarena.config;
 
+import com.github.benmanes.caffeine.cache.Cache;
+import com.github.benmanes.caffeine.cache.Caffeine;
 import lombok.extern.slf4j.Slf4j;
 import no.nav.common.abac.Pep;
 import no.nav.common.abac.VeilarbPepFactory;
@@ -20,6 +22,13 @@
 import no.nav.common.token_client.client.AzureAdMachineToMachineTokenClient;
 import no.nav.common.utils.Credentials;
 import no.nav.common.utils.EnvironmentUtils;
+import no.nav.common.rest.client.RestClient;
+import no.nav.poao_tilgang.client.AdGruppe;
+import no.nav.poao_tilgang.client.Decision;
+import no.nav.poao_tilgang.client.PoaoTilgangCachedClient;
+import no.nav.poao_tilgang.client.PoaoTilgangClient;
+import no.nav.poao_tilgang.client.PoaoTilgangHttpClient;
+import no.nav.poao_tilgang.client.PolicyInput;
 import no.nav.veilarbarena.client.ords.ArenaOrdsClient;
 import no.nav.veilarbarena.client.ords.ArenaOrdsClientImpl;
 import no.nav.veilarbarena.client.ords.ArenaOrdsTokenProviderClient;
@@ -30,6 +39,10 @@
 import org.springframework.context.annotation.Configuration;
 import org.springframework.scheduling.annotation.EnableScheduling;
 
+import java.time.Duration;
+import java.util.List;
+import java.util.UUID;
+
 import static no.nav.common.kafka.util.KafkaPropertiesPreset.aivenByteProducerProperties;
 import static no.nav.common.utils.NaisUtils.getCredentials;
 import static no.nav.common.utils.UrlUtils.createDevInternalIngressUrl;
@@ -44,6 +57,15 @@
 public class ApplicationConfig {
 
     public static final String APPLICATION_NAME = "veilarbarena";
+	private final Cache<PolicyInput, Decision> policyInputToDecisionCache = Caffeine.newBuilder()
+			.expireAfterWrite(Duration.ofMinutes(30))
+			.build();
+	private final Cache<UUID, List<AdGruppe>> navAnsattIdToAzureAdGrupperCache = Caffeine.newBuilder()
+			.expireAfterWrite(Duration.ofMinutes(30))
+			.build();
+	private final Cache<String, Boolean> norskIdentToErSkjermetCache = Caffeine.newBuilder()
+			.expireAfterWrite(Duration.ofMinutes(30))
+			.build();
 
     @Bean
     public Credentials serviceUserCredentials() {
@@ -127,6 +149,20 @@ public ArenaOrdsClient arenaOrdsClient(ArenaOrdsTokenProviderClient arenaOrdsTok
         return new ArenaOrdsClientImpl(createArenaOrdsUrl(), arenaOrdsTokenProviderClient::getToken);
     }
 
+	@Bean
+	public PoaoTilgangClient poaoTilgangClient(EnvironmentProperties properties, AzureAdMachineToMachineTokenClient tokenClient) {
+		return new PoaoTilgangCachedClient(
+			new PoaoTilgangHttpClient(
+					properties.getPoaoTilgangUrl(),
+					() -> tokenClient.createMachineToMachineToken(properties.getPoaoTilgangScope()),
+					RestClient.baseClient()
+			),
+			policyInputToDecisionCache,
+			navAnsattIdToAzureAdGrupperCache,
+			norskIdentToErSkjermetCache
+		);
+	}
+
     private static String createArenaOrdsUrl() {
         boolean isProduction = EnvironmentUtils.isProduction().orElseThrow(() -> new IllegalStateException("Cluster name is missing"));
         return isProduction

src/main/java/no/nav/veilarbarena/config/EnvironmentProperties.java

@@ -40,4 +40,7 @@ public class EnvironmentProperties {
 
     private String ytelseskontraktV3Endpoint;
 
+	private String poaoTilgangUrl;
+
+	private String poaoTilgangScope;
 }

src/main/java/no/nav/veilarbarena/service/AuthService.java

@@ -1,19 +1,27 @@
 package no.nav.veilarbarena.service;
 
+import com.nimbusds.jwt.JWTClaimsSet;
 import lombok.SneakyThrows;
 import lombok.extern.slf4j.Slf4j;
 import no.nav.common.abac.Pep;
 import no.nav.common.abac.domain.request.ActionId;
 import no.nav.common.auth.context.AuthContextHolder;
-import no.nav.common.client.aktoroppslag.AktorOppslagClient;
-import no.nav.common.types.identer.AktorId;
 import no.nav.common.types.identer.Fnr;
+import no.nav.poao_tilgang.client.Decision;
+import no.nav.poao_tilgang.client.NavAnsattTilgangTilEksternBrukerPolicyInput;
+import no.nav.poao_tilgang.client.PoaoTilgangClient;
+import no.nav.poao_tilgang.client.TilgangType;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
 import org.springframework.stereotype.Service;
 import org.springframework.web.server.ResponseStatusException;
 
 import java.util.Arrays;
+import java.util.Optional;
+import java.util.UUID;
+
+import static java.util.Optional.empty;
+import static java.util.Optional.ofNullable;
 
 @Slf4j
 @Service
@@ -23,18 +31,33 @@ public class AuthService {
 
     private final Pep veilarbPep;
 
+    private final PoaoTilgangClient poaoTilgangClient;
+
+    private final UnleashService unleashService;
+
     @Autowired
-    public AuthService(AuthContextHolder authContextHolder,  Pep veilarbPep) {
+    public AuthService(AuthContextHolder authContextHolder,  Pep veilarbPep, PoaoTilgangClient poaoTilgangClient, UnleashService unleashService) {
         this.authContextHolder = authContextHolder;
         this.veilarbPep = veilarbPep;
+        this.poaoTilgangClient = poaoTilgangClient;
+        this.unleashService = unleashService;
     }
 
     public void sjekkTilgang(Fnr fnr) {
         String innloggetBrukerToken = authContextHolder.requireIdTokenString();
+        if (unleashService.skalBrukePoaoTilgang()) {
+			Decision desicion = poaoTilgangClient.evaluatePolicy(new NavAnsattTilgangTilEksternBrukerPolicyInput(
+					hentInnloggetVeilederUUID(), TilgangType.LESE, fnr.get()
+			)).getOrThrow();
+			if (desicion.isDeny()) {
+				throw new ResponseStatusException(HttpStatus.FORBIDDEN);
+			}
+        } else {
+			if (!veilarbPep.harTilgangTilPerson(innloggetBrukerToken, ActionId.READ, fnr)) {
+				throw new ResponseStatusException(HttpStatus.FORBIDDEN);
+			}
+		}
 
-        if (!veilarbPep.harTilgangTilPerson(innloggetBrukerToken, ActionId.READ, fnr)) {
-            throw new ResponseStatusException(HttpStatus.FORBIDDEN);
-        }
     }
 
     public boolean erSystembruker() {
@@ -52,4 +75,17 @@ public void sjekkAtSystembrukerErWhitelistet(String... clientIdWhitelist) {
         }
     }
 
+	public static Optional<String> getStringClaimOrEmpty(JWTClaimsSet claims, String claimName) {
+		try {
+			return ofNullable(claims.getStringClaim(claimName));
+		} catch (Exception e) {
+			return empty();
+		}
+	}
+	public UUID hentInnloggetVeilederUUID() {
+		return authContextHolder.getIdTokenClaims()
+				.flatMap(claims -> getStringClaimOrEmpty(claims, "oid"))
+				.map(UUID::fromString)
+				.orElseThrow (() -> new ResponseStatusException(HttpStatus.FORBIDDEN, "Fant ikke oid for innlogget veileder") );
+	}
 }

src/main/java/no/nav/veilarbarena/service/UnleashService.java

@@ -8,8 +8,14 @@ public class UnleashService {
 
     private final UnleashClient unleashClient;
 
+	private static final String UNLEASH_POAO_TILGANG_ENABLED = "veilarbarena.poao-tilgang-enabled";
+
     public UnleashService(UnleashClient unleashClient) {
         this.unleashClient = unleashClient;
     }
+
+	public boolean skalBrukePoaoTilgang() {
+		return unleashClient.isEnabled(UNLEASH_POAO_TILGANG_ENABLED);
+	}
 }
 

src/main/resources/application.properties

@@ -36,6 +36,8 @@ app.env.amtTiltakClientId=${AMT_TILTAK_CLIENT_ID:null}
 app.env.veilarbregistreringClientId=${VEILARBREGISTRERING_CLIENT_ID:null}
 app.env.veilarbregistreringClientIdGCP=${VEILARBREGISTRERING_CLIENT_ID_GCP:null}
 app.env.poaoTilgangClientId=${POAO_TILGANG_CLIENT_ID:null}
+app.env.poaoTilgangUrl=${POAO_TILGANG_URL:#{null}}
+app.env.poaoTilgangScope=${POAO_TILGANG_SCOPE:#{null}}
 
 app.kafka.brokersUrl=${KAFKA_BROKERS_URL}
 app.kafka.endringPaaOppfolgingsbrukerTopic=${ENDRING_PAA_OPPFOELGINGSBRUKER_TOPIC}