Merge pull request #279 from navikt/dev

Prodsetting av logging som skal fjernes
navikt · Mar 24, 2023 · cd5483e · cd5483e
2 parents 50a0f63 + 29f4ba0
commit cd5483e
Show file tree

Hide file tree

Showing 4 changed files with 43 additions and 1 deletion.
diff --git a/nais-dev.yaml b/nais-dev.yaml
@@ -104,3 +104,5 @@ spec:
       value: https://poao-tilgang.dev.intern.nav.no
     - name: POAO_TILGANG_SCOPE
       value: api://dev-gcp.poao.poao-tilgang/.default
+  secureLogs:
+    enabled: true
diff --git a/nais-prod.yaml b/nais-prod.yaml
@@ -101,3 +101,5 @@ spec:
       value: https://poao-tilgang.intern.nav.no
     - name: POAO_TILGANG_SCOPE
       value: api://prod-gcp.poao.poao-tilgang/.default
+  secureLogs:
+    enabled: true
diff --git a/src/main/java/no/nav/veilarbarena/service/AuthService.java b/src/main/java/no/nav/veilarbarena/service/AuthService.java
@@ -6,11 +6,14 @@
 import no.nav.common.abac.Pep;
 import no.nav.common.abac.domain.request.ActionId;
 import no.nav.common.auth.context.AuthContextHolder;
+import no.nav.common.auth.context.UserRole;
 import no.nav.common.types.identer.Fnr;
 import no.nav.poao_tilgang.client.Decision;
 import no.nav.poao_tilgang.client.NavAnsattTilgangTilEksternBrukerPolicyInput;
 import no.nav.poao_tilgang.client.PoaoTilgangClient;
 import no.nav.poao_tilgang.client.TilgangType;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
 import org.springframework.stereotype.Service;
@@ -35,6 +38,8 @@ public class AuthService {
 
     private final UnleashService unleashService;
 
+    public static Logger secureLog = LoggerFactory.getLogger("SecureLog");
+
     @Autowired
     public AuthService(AuthContextHolder authContextHolder, Pep veilarbPep, PoaoTilgangClient poaoTilgangClient, UnleashService unleashService) {
         this.authContextHolder = authContextHolder;
@@ -44,17 +49,23 @@ public AuthService(AuthContextHolder authContextHolder, Pep veilarbPep, PoaoTilg
     }
 
     public void sjekkTilgang(Fnr fnr) {
+        String requestId = UUID.randomUUID().toString();
+        String userRole = authContextHolder.getRole().map(UserRole::name).orElse("UKJENT");
         String innloggetBrukerToken = authContextHolder.requireIdTokenString();
+        Boolean abacDecision = veilarbPep.harTilgangTilPerson(innloggetBrukerToken, ActionId.READ, fnr);
+        secureLog.info("abacDecision = {}, requestId = {} , userRole = {}", abacDecision, requestId, userRole);
 
         if (unleashService.skalBrukePoaoTilgang() && !erSystembruker()) {
+            secureLog.info("Skal kalle poao-tilgang hvor hvor requestId = {}, uuid = {}, pid = {}, NavIdent = {}, subject = {}", requestId, hentInnloggetVeilederUUIDOrElseNull(), hentInnloggetVeilederpid(), hentInnloggetVeilederNavIdent(), hentInnloggetVeilederSubject());
             Decision desicion = poaoTilgangClient.evaluatePolicy(new NavAnsattTilgangTilEksternBrukerPolicyInput(
                     hentInnloggetVeilederUUID(), TilgangType.LESE, fnr.get()
             )).getOrThrow();
+            secureLog.info("Decision is deny = {} hvor requestId = {}, uuid = {}, pid = {}, NavIdent = {}, subject = {}, innloggetBrukerToken = {}", desicion.isDeny(), requestId, hentInnloggetVeilederUUIDOrElseNull(), hentInnloggetVeilederpid(), hentInnloggetVeilederNavIdent(), hentInnloggetVeilederSubject(), innloggetBrukerToken);
             if (desicion.isDeny()) {
                 throw new ResponseStatusException(HttpStatus.FORBIDDEN);
             }
         } else {
-            if (!veilarbPep.harTilgangTilPerson(innloggetBrukerToken, ActionId.READ, fnr)) {
+            if (!abacDecision) {
                 throw new ResponseStatusException(HttpStatus.FORBIDDEN);
             }
         }
@@ -90,4 +101,30 @@ public UUID hentInnloggetVeilederUUID() {
                 .map(UUID::fromString)
                 .orElseThrow(() -> new ResponseStatusException(HttpStatus.FORBIDDEN, "Fant ikke oid for innlogget veileder"));
     }
+
+
+    public UUID hentInnloggetVeilederUUIDOrElseNull() {
+        return authContextHolder.getIdTokenClaims()
+                .flatMap(claims -> getStringClaimOrEmpty(claims, "oid"))
+                .map(UUID::fromString)
+                .orElse(null);
+    }
+
+    public String hentInnloggetVeilederpid() {
+        return authContextHolder.getIdTokenClaims()
+                .flatMap(claims -> getStringClaimOrEmpty(claims, "pid"))
+                .orElse(null);
+    }
+
+    public String hentInnloggetVeilederNavIdent() {
+        return authContextHolder.getIdTokenClaims()
+                .flatMap(claims -> getStringClaimOrEmpty(claims, "NAVident"))
+                .orElse(null);
+    }
+
+    public String hentInnloggetVeilederSubject() {
+        return authContextHolder.getIdTokenClaims()
+                .flatMap(claims -> getStringClaimOrEmpty(claims, "sub"))
+                .orElse(null);
+    }
 }
diff --git a/src/main/resources/logback.xml b/src/main/resources/logback.xml
@@ -3,4 +3,5 @@
     <include resource="no/nav/common/log/logback-stdout-json.xml"/>
     <include resource="no/nav/common/log/logback-naudit.xml"/>
     <include resource="no/nav/common/log/logback-cxf.xml"/>
+    <include resource="no/nav/common/log/logback-securelogs.xml"/>
 </configuration>