Merge pull request #267 from navikt/dev

Prodsette bruk av poao-tilgang

nais-dev.yaml

@@ -100,3 +100,7 @@ spec:
       value: 98a17237-0bfc-496e-ba28-cdb320960257
     - name: POAO_TILGANG_CLIENT_ID
       value: 986c77da-3cfa-4a9e-b11d-b3d193ada8cd
+    - name: POAO_TILGANG_URL
+      value: https://poao-tilgang.dev.intern.nav.no
+    - name: POAO_TILGANG_SCOPE
+      value: api://dev-gcp.poao.poao-tilgang/.default

nais-prod.yaml

@@ -97,3 +97,7 @@ spec:
       value: 4bc6277f-7c25-49b9-803f-a9873995889f
     - name: POAO_TILGANG_CLIENT_ID
       value: b345dcb8-d4f8-41fc-9d4e-bc169c04145b
+    - name: POAO_TILGANG_URL
+      value: https://poao-tilgang.intern.nav.no
+    - name: POAO_TILGANG_SCOPE
+      value: api://prod-gcp.poao.poao-tilgang/.default

pom.xml

@@ -40,6 +40,7 @@
             <plugin>
                 <groupId>org.springframework.boot</groupId>
                 <artifactId>spring-boot-maven-plugin</artifactId>
+                <version>2.7.8</version>
             </plugin>
         </plugins>
         <finalName>veilarbarena</finalName>
@@ -49,7 +50,7 @@
         <dependency>
             <groupId>com.github.ben-manes.caffeine</groupId>
             <artifactId>caffeine</artifactId>
-            <version>3.1.1</version>
+            <version>3.1.2</version>
         </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>
@@ -83,7 +84,7 @@
         <dependency>
             <groupId>org.springdoc</groupId>
             <artifactId>springdoc-openapi-ui</artifactId>
-            <version>1.6.13</version>
+            <version>1.6.14</version>
         </dependency>
         <dependency>
             <groupId>com.zaxxer</groupId>
@@ -238,7 +239,7 @@
         <dependency>
             <groupId>com.h2database</groupId>
             <artifactId>h2</artifactId>
-            <version>1.4.200</version>
+            <version>2.1.214</version>
             <scope>test</scope>
         </dependency>
         <dependency>
@@ -252,6 +253,10 @@
             <artifactId>spring-boot-starter-test</artifactId>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>com.github.navikt.poao-tilgang</groupId>
+            <artifactId>client</artifactId>
+            <version>2023.01.27_14.49-9fe135865a9f</version>
+        </dependency>
     </dependencies>
-
 </project>

src/main/java/no/nav/veilarbarena/config/ApplicationConfig.java

@@ -1,5 +1,7 @@
 package no.nav.veilarbarena.config;
 
+import com.github.benmanes.caffeine.cache.Cache;
+import com.github.benmanes.caffeine.cache.Caffeine;
 import lombok.extern.slf4j.Slf4j;
 import no.nav.common.abac.Pep;
 import no.nav.common.abac.VeilarbPepFactory;
@@ -16,10 +18,12 @@
 import no.nav.common.job.leader_election.LeaderElectionHttpClient;
 import no.nav.common.metrics.InfluxClient;
 import no.nav.common.metrics.MetricsClient;
+import no.nav.common.rest.client.RestClient;
 import no.nav.common.token_client.builder.AzureAdTokenClientBuilder;
 import no.nav.common.token_client.client.AzureAdMachineToMachineTokenClient;
 import no.nav.common.utils.Credentials;
 import no.nav.common.utils.EnvironmentUtils;
+import no.nav.poao_tilgang.client.*;
 import no.nav.veilarbarena.client.ords.ArenaOrdsClient;
 import no.nav.veilarbarena.client.ords.ArenaOrdsClientImpl;
 import no.nav.veilarbarena.client.ords.ArenaOrdsTokenProviderClient;
@@ -30,6 +34,10 @@
 import org.springframework.context.annotation.Configuration;
 import org.springframework.scheduling.annotation.EnableScheduling;
 
+import java.time.Duration;
+import java.util.List;
+import java.util.UUID;
+
 import static no.nav.common.kafka.util.KafkaPropertiesPreset.aivenByteProducerProperties;
 import static no.nav.common.utils.NaisUtils.getCredentials;
 import static no.nav.common.utils.UrlUtils.createDevInternalIngressUrl;
@@ -43,6 +51,15 @@
 @EnableConfigurationProperties({EnvironmentProperties.class})
 public class ApplicationConfig {
 
+    private final Cache<PolicyInput, Decision> policyInputToDecisionCache = Caffeine.newBuilder()
+            .expireAfterWrite(Duration.ofMinutes(30))
+            .build();
+    private final Cache<UUID, List<AdGruppe>> navAnsattIdToAzureAdGrupperCache = Caffeine.newBuilder()
+            .expireAfterWrite(Duration.ofMinutes(30))
+            .build();
+    private final Cache<String, Boolean> norskIdentToErSkjermetCache = Caffeine.newBuilder()
+            .expireAfterWrite(Duration.ofMinutes(30))
+            .build();
     public static final String APPLICATION_NAME = "veilarbarena";
 
     @Bean
@@ -121,12 +138,25 @@ public YtelseskontraktClient ytelseskontraktClient(EnvironmentProperties propert
     public ArenaOrdsTokenProviderClient arenaOrdsTokenProvider() {
         return new ArenaOrdsTokenProviderClient(createArenaOrdsUrl());
     }
-
     @Bean
     public ArenaOrdsClient arenaOrdsClient(ArenaOrdsTokenProviderClient arenaOrdsTokenProviderClient) {
         return new ArenaOrdsClientImpl(createArenaOrdsUrl(), arenaOrdsTokenProviderClient::getToken);
     }
 
+    @Bean
+    public PoaoTilgangClient poaoTilgangClient(EnvironmentProperties properties, AzureAdMachineToMachineTokenClient tokenClient) {
+        return new PoaoTilgangCachedClient(
+                new PoaoTilgangHttpClient(
+                        properties.getPoaoTilgangUrl(),
+                        () -> tokenClient.createMachineToMachineToken(properties.getPoaoTilgangScope()),
+                        RestClient.baseClient()
+                ),
+                policyInputToDecisionCache,
+                navAnsattIdToAzureAdGrupperCache,
+                norskIdentToErSkjermetCache
+        );
+    }
+
     private static String createArenaOrdsUrl() {
         boolean isProduction = EnvironmentUtils.isProduction().orElseThrow(() -> new IllegalStateException("Cluster name is missing"));
         return isProduction

src/main/java/no/nav/veilarbarena/config/EnvironmentProperties.java

@@ -40,4 +40,8 @@ public class EnvironmentProperties {
 
     private String ytelseskontraktV3Endpoint;
 
+    private String poaoTilgangUrl;
+
+    private String poaoTilgangScope;
+
 }

src/main/java/no/nav/veilarbarena/config/FilterConfig.java

@@ -5,7 +5,9 @@
 import no.nav.common.auth.oidc.filter.AzureAdUserRoleResolver;
 import no.nav.common.auth.oidc.filter.JavaxOidcAuthenticationFilter;
 import no.nav.common.auth.oidc.filter.JavaxOidcAuthenticatorConfig;
-import no.nav.common.rest.filter.*;
+import no.nav.common.rest.filter.JavaxConsumerIdComplianceFilter;
+import no.nav.common.rest.filter.JavaxLogRequestFilter;
+import no.nav.common.rest.filter.JavaxSetStandardHttpHeadersFilter;
 import org.springframework.boot.web.servlet.FilterRegistrationBean;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;

src/main/java/no/nav/veilarbarena/service/AuthService.java

@@ -1,19 +1,27 @@
 package no.nav.veilarbarena.service;
 
+import com.nimbusds.jwt.JWTClaimsSet;
 import lombok.SneakyThrows;
 import lombok.extern.slf4j.Slf4j;
 import no.nav.common.abac.Pep;
 import no.nav.common.abac.domain.request.ActionId;
 import no.nav.common.auth.context.AuthContextHolder;
-import no.nav.common.client.aktoroppslag.AktorOppslagClient;
-import no.nav.common.types.identer.AktorId;
 import no.nav.common.types.identer.Fnr;
+import no.nav.poao_tilgang.client.Decision;
+import no.nav.poao_tilgang.client.NavAnsattTilgangTilEksternBrukerPolicyInput;
+import no.nav.poao_tilgang.client.PoaoTilgangClient;
+import no.nav.poao_tilgang.client.TilgangType;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
 import org.springframework.stereotype.Service;
 import org.springframework.web.server.ResponseStatusException;
 
 import java.util.Arrays;
+import java.util.Optional;
+import java.util.UUID;
+
+import static java.util.Optional.empty;
+import static java.util.Optional.ofNullable;
 
 @Slf4j
 @Service
@@ -23,18 +31,32 @@ public class AuthService {
 
     private final Pep veilarbPep;
 
+    private final UnleashService unleashService;
+
+    private final PoaoTilgangClient poaoTilgangClient;
+
+
     @Autowired
-    public AuthService(AuthContextHolder authContextHolder,  Pep veilarbPep) {
+    public AuthService(AuthContextHolder authContextHolder,
+                       Pep veilarbPep,
+                       UnleashService unleashService,
+                       PoaoTilgangClient poaoTilgangClient
+    ) {
         this.authContextHolder = authContextHolder;
         this.veilarbPep = veilarbPep;
+        this.unleashService = unleashService;
+        this.poaoTilgangClient = poaoTilgangClient;
     }
 
     public void sjekkTilgang(Fnr fnr) {
         String innloggetBrukerToken = authContextHolder.requireIdTokenString();
-
+        if (unleashService.skalBrukePoaoTilgang()) {
+            harVeilederTilgangTilEksternBruker(fnr.get());
+        } else {
         if (!veilarbPep.harTilgangTilPerson(innloggetBrukerToken, ActionId.READ, fnr)) {
             throw new ResponseStatusException(HttpStatus.FORBIDDEN);
         }
+        }
     }
 
     public boolean erSystembruker() {
@@ -51,5 +73,24 @@ public void sjekkAtSystembrukerErWhitelistet(String... clientIdWhitelist) {
             throw new ResponseStatusException(HttpStatus.FORBIDDEN);
         }
     }
+    public static Optional<String> getStringClaimOrEmpty(JWTClaimsSet claims, String claimName) {
+        try {
+            return ofNullable(claims.getStringClaim(claimName));
+        } catch (Exception e) {
+            return empty();
+        }
+    }
+    public UUID hentInnloggetVeilederUUID() {
+        return authContextHolder.getIdTokenClaims()
+                .flatMap(claims -> getStringClaimOrEmpty(claims, "oid"))
+                .map(UUID::fromString)
+                .orElseThrow (() -> new ResponseStatusException(HttpStatus.FORBIDDEN, "Fant ikke oid for innlogget veileder") );
+    }
+    private boolean harVeilederTilgangTilEksternBruker(String eksternBruker) {
+        Decision desicion = poaoTilgangClient.evaluatePolicy(new NavAnsattTilgangTilEksternBrukerPolicyInput(
+                hentInnloggetVeilederUUID(), TilgangType.LESE, eksternBruker
+        )).getOrThrow();
+        return desicion.isPermit();
+    }
 
 }

src/main/java/no/nav/veilarbarena/service/UnleashService.java

@@ -1,5 +1,6 @@
 package no.nav.veilarbarena.service;
 
+import lombok.RequiredArgsConstructor;
 import no.nav.common.featuretoggle.UnleashClient;
 import org.springframework.stereotype.Service;
 
@@ -8,8 +9,14 @@ public class UnleashService {
 
     private final UnleashClient unleashClient;
 
+    private static final String UNLEASH_POAO_TILGANG_ENABLED = "veilarbarena.poao-tilgang-enabled";
+
     public UnleashService(UnleashClient unleashClient) {
         this.unleashClient = unleashClient;
     }
+
+    public boolean skalBrukePoaoTilgang(){
+        return unleashClient.isEnabled(UNLEASH_POAO_TILGANG_ENABLED);
+    }
 }
 

src/main/resources/application.properties

@@ -27,15 +27,16 @@ app.env.unleashUrl=${UNLEASH_API_URL}
 app.env.soapStsUrl=${SECURITYTOKENSERVICE_URL}
 app.env.ytelseskontraktV3Endpoint=${VIRKSOMHET_YTELSESKONTRAKT_V3_ENDPOINTURL}
 
-app.env.naisAadDiscoveryUrl=${AZURE_APP_WELL_KNOWN_URL:null}
-app.env.naisAadClientId=${AZURE_APP_CLIENT_ID:null}
+app.env.naisAadDiscoveryUrl=${AZURE_APP_WELL_KNOWN_URL:#{null}}
+app.env.naisAadClientId=${AZURE_APP_CLIENT_ID:#{null}}
 
-app.env.poaoGcpProxyClientId=${POAO_GCP_PROXY_CLIENT_ID:null}
-app.env.tiltaksgjennomforingApiClientId=${TILTAKSGJENNOMFORING_API_CLIENT_ID:null}
+app.env.poaoGcpProxyClientId=${POAO_GCP_PROXY_CLIENT_ID:#{null}}
+app.env.tiltaksgjennomforingApiClientId=${TILTAKSGJENNOMFORING_API_CLIENT_ID:#{null}}
 app.env.amtTiltakClientId=${AMT_TILTAK_CLIENT_ID:null}
-app.env.veilarbregistreringClientId=${VEILARBREGISTRERING_CLIENT_ID:null}
-app.env.veilarbregistreringClientIdGCP=${VEILARBREGISTRERING_CLIENT_ID_GCP:null}
-app.env.poaoTilgangClientId=${POAO_TILGANG_CLIENT_ID:null}
+app.env.veilarbregistreringClientId=${VEILARBREGISTRERING_CLIENT_ID:#{null}}
+app.env.veilarbregistreringClientIdGCP=${VEILARBREGISTRERING_CLIENT_ID_GCP:#{null}}
+app.env.poaoTilgangUrl=${POAO_TILGANG_URL:#{null}}
+app.env.poaoTilgangScope=${POAO_TILGANG_SCOPE:#{null}}
 
 app.kafka.brokersUrl=${KAFKA_BROKERS_URL}
 app.kafka.endringPaaOppfolgingsbrukerTopic=${ENDRING_PAA_OPPFOELGINGSBRUKER_TOPIC}

src/test/java/no/nav/veilarbarena/VeilarbarenaTestApp.java

@@ -2,10 +2,13 @@
 
 import no.nav.veilarbarena.config.ApplicationTestConfig;
 import org.springframework.boot.SpringApplication;
+import org.springframework.boot.actuate.autoconfigure.metrics.CompositeMeterRegistryAutoConfiguration;
 import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
+import org.springframework.boot.web.servlet.ServletComponentScan;
 import org.springframework.context.annotation.Import;
 
-@EnableAutoConfiguration
+@EnableAutoConfiguration(exclude = {CompositeMeterRegistryAutoConfiguration.class})
+@ServletComponentScan
 @Import(ApplicationTestConfig.class)
 public class VeilarbarenaTestApp {
 

src/test/java/no/nav/veilarbarena/config/ApplicationTestConfig.java

@@ -1,5 +1,6 @@
 package no.nav.veilarbarena.config;
 
+import io.micrometer.core.instrument.MeterRegistry;
 import no.finn.unleash.UnleashContext;
 import no.nav.common.abac.AbacClient;
 import no.nav.common.abac.Pep;
@@ -13,6 +14,7 @@
 import no.nav.common.metrics.MetricsClient;
 import no.nav.common.types.identer.Fnr;
 import no.nav.common.utils.Credentials;
+import no.nav.poao_tilgang.client.PoaoTilgangClient;
 import no.nav.veilarbarena.client.ords.ArenaOrdsClient;
 import no.nav.veilarbarena.client.ords.dto.ArenaAktiviteterDTO;
 import no.nav.veilarbarena.client.ords.dto.ArenaOppfolgingssakDTO;
@@ -29,6 +31,7 @@
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Import;
+import org.springframework.context.annotation.Profile;
 import org.springframework.jdbc.core.JdbcTemplate;
 import org.testcontainers.containers.KafkaContainer;
 import org.testcontainers.utility.DockerImageName;
@@ -39,6 +42,7 @@
 import java.util.Properties;
 
 import static no.nav.veilarbarena.config.KafkaConfig.PRODUCER_CLIENT_ID;
+import static org.mockito.Mockito.mock;
 
 @Configuration
 @EnableConfigurationProperties({EnvironmentProperties.class})
@@ -97,7 +101,7 @@ public KafkaContainer kafkaContainer() {
     }
 
     @Bean
-    public KafkaConfig.EnvironmentContext kafkaConfigEnvironmentContext(KafkaContainer kafkaContainer) {
+    public KafkaConfig.EnvironmentContext kafkaConfigEnvContext(KafkaContainer kafkaContainer) {
         Properties properties = KafkaPropertiesBuilder.producerBuilder()
                 .withBrokerUrl(kafkaContainer.getBootstrapServers())
                 .withProducerId(PRODUCER_CLIENT_ID)
@@ -182,5 +186,13 @@ public HealthCheckResult checkHealth() {
             }
         };
     }
+    @Bean
+    public PoaoTilgangClient poaoTilgangClient() { return mock(PoaoTilgangClient.class); }
+
+    @Bean
+    @Profile("!local")
+    public MeterRegistry meterRegistry(){
+        return mock(MeterRegistry.class);
+    }
 
 }

src/test/java/no/nav/veilarbarena/controller/ArenaControllerTest.java

@@ -4,6 +4,7 @@
 import no.nav.common.types.identer.Fnr;
 import no.nav.veilarbarena.client.ords.dto.ArenaOppfolgingssakDTO;
 import no.nav.veilarbarena.client.ytelseskontrakt.YtelseskontraktResponse;
+import no.nav.veilarbarena.config.ApplicationTestConfig;
 import no.nav.veilarbarena.config.EnvironmentProperties;
 import no.nav.veilarbarena.controller.response.ArenaStatusDTO;
 import no.nav.veilarbarena.service.ArenaService;
@@ -13,6 +14,7 @@
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest;
 import org.springframework.boot.test.mock.mockito.MockBean;
+import org.springframework.test.context.ContextConfiguration;
 import org.springframework.test.web.servlet.MockMvc;
 
 import java.time.LocalDate;
@@ -27,6 +29,7 @@
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
+@ContextConfiguration(classes = ApplicationTestConfig.class)
 @WebMvcTest(controllers = ArenaController.class)
 public class ArenaControllerTest {
 
@@ -38,6 +41,7 @@ public class ArenaControllerTest {
     @MockBean
     private EnvironmentProperties environmentProperties;
 
+
     @MockBean
     private AuthService authService;