Autentisere med azure (#118)

DAG-152 Autentisere med azure
+ oppgradering av java runtime ++

Author: geiralund

.github/workflows/dp-inntekt-api-deploy.yaml

@@ -15,7 +15,7 @@ jobs:
       - name: Set up Java
         uses: actions/setup-java@v1
         with:
-          java-version: '13.x'
+          java-version: '17.x'
 
       - name: Setup gradle dependency cache
         uses: actions/cache@v2

.github/workflows/dp-inntekt-grpc-build.yml

@@ -16,7 +16,7 @@ jobs:
       - name: Set up Java
         uses: actions/setup-java@v1
         with:
-          java-version: '13.x'
+          java-version: '17.x'
 
       - name: Cache gradle dependencies
         uses: actions/cache@v1

Dockerfile

@@ -1,4 +1,4 @@
-FROM navikt/java:13
+FROM navikt/java:17
 
 EXPOSE 50051
 

build.gradle.kts

@@ -30,12 +30,12 @@ allprojects {
     }
 
     tasks.withType<org.jetbrains.kotlin.gradle.tasks.KotlinCompile> {
-        kotlinOptions.jvmTarget = JavaVersion.VERSION_1_8.toString()
+        kotlinOptions.jvmTarget = JavaVersion.VERSION_17.toString()
     }
 
     java {
-        sourceCompatibility = JavaVersion.VERSION_1_8
-        targetCompatibility = JavaVersion.VERSION_1_8
+        sourceCompatibility = JavaVersion.VERSION_17
+        targetCompatibility = JavaVersion.VERSION_17
     }
 
     tasks.withType<Wrapper> {
@@ -69,7 +69,7 @@ allprojects {
     }
 
     repositories {
-        jcenter()
+        mavenCentral()
         maven("https://jitpack.io")
     }
 }

buildSrc/build.gradle.kts

@@ -3,5 +3,5 @@ plugins {
 }
 
 repositories {
-    jcenter()
+    mavenCentral()
 }

dp-inntekt-api/build.gradle.kts

@@ -10,7 +10,7 @@ plugins {
 
 buildscript {
     repositories {
-        jcenter()
+        mavenCentral()
     }
 }
 
@@ -98,6 +98,8 @@ dependencies {
         // https://youtrack.jetbrains.com/issue/KT-46090
         exclude("org.jetbrains.kotlin", "kotlin-test-junit")
     }
+
+    testImplementation("no.nav.security:mock-oauth2-server:0.4.3")
     testImplementation(Ktor.library("client-mock"))
     testImplementation(Junit5.api)
     testImplementation(Junit5.params)

dp-inntekt-api/src/main/kotlin/no/nav/dagpenger/inntekt/Application.kt

@@ -8,6 +8,7 @@ import io.prometheus.client.hotspot.DefaultExports
 import kotlinx.coroutines.launch
 import kotlinx.coroutines.runBlocking
 import mu.KotlinLogging
+import no.nav.dagpenger.inntekt.Config.inntektApiConfig
 import no.nav.dagpenger.inntekt.db.PostgresInntektStore
 import no.nav.dagpenger.inntekt.db.dataSourceFrom
 import no.nav.dagpenger.inntekt.db.migrate
@@ -26,10 +27,11 @@ import java.util.concurrent.TimeUnit
 import kotlin.concurrent.fixedRateTimer
 
 private val LOGGER = KotlinLogging.logger {}
-private val config = Configuration()
+private val configuration = Config.config
 
 fun main() {
     runBlocking {
+        val config = configuration.inntektApiConfig
         migrate(config)
         DefaultExports.initialize()
 
@@ -94,6 +96,7 @@ fun main() {
         // Provides a HTTP API for getting inntekt
         embeddedServer(Netty, port = config.application.httpPort) {
             inntektApi(
+                configuration,
                 inntektskomponentHttpClient,
                 postgresInntektStore,
                 cachedInntektsGetter,

dp-inntekt-api/src/main/kotlin/no/nav/dagpenger/inntekt/AzureAuth.kt

@@ -0,0 +1,49 @@
+package no.nav.dagpenger.inntekt
+
+import com.auth0.jwk.JwkProvider
+import com.auth0.jwk.JwkProviderBuilder
+import com.natpryce.konfig.Configuration
+import com.natpryce.konfig.Key
+import com.natpryce.konfig.stringType
+import io.ktor.auth.jwt.JWTAuthenticationProvider
+import io.ktor.auth.jwt.JWTCredential
+import io.ktor.auth.jwt.JWTPrincipal
+import mu.KotlinLogging
+import java.net.URL
+import java.util.concurrent.TimeUnit
+
+private val LOGGER = KotlinLogging.logger {}
+
+internal fun JWTAuthenticationProvider.Configuration.azureAdJWT(config: Configuration) {
+    val jwksUri = config[Key("AZURE_OPENID_CONFIG_JWKS_URI", stringType)]
+    val issuer = config[Key("AZURE_OPENID_CONFIG_ISSUER", stringType)]
+    val clientId = config[Key("AZURE_APP_CLIENT_ID", stringType)]
+    this.realm = "dp-inntekt-api"
+
+    this.verifier(jwkProvider(jwksUri), issuer)
+    validate { credentials: JWTCredential ->
+        try {
+            requireNotNull(credentials.payload.audience) {
+                "Auth: Missing audience in token"
+            }
+            require(credentials.payload.audience.contains(clientId)) {
+                "Auth: Valid audience not found in claims"
+            }
+            JWTPrincipal(credentials.payload)
+        } catch (e: Throwable) {
+            LOGGER.error("Unauthorized", e)
+            null
+        }
+    }
+}
+
+private fun jwkProvider(url: String): JwkProvider {
+    return JwkProviderBuilder(URL(url))
+        .cached(10, 24, TimeUnit.HOURS) // cache up to 10 JWKs for 24 hours
+        .rateLimited(
+            10,
+            1,
+            TimeUnit.MINUTES
+        ) // if not cached, only allow max 10 different keys per minute to be fetched from external provider
+        .build()
+}

dp-inntekt-api/src/main/kotlin/no/nav/dagpenger/inntekt/Configuration.kt

@@ -1,13 +1,15 @@
 package no.nav.dagpenger.inntekt
 
 import com.auth0.jwk.JwkProvider
+import com.natpryce.konfig.Configuration
 import com.ryanharter.ktor.moshi.moshi
 import com.squareup.moshi.JsonDataException
 import com.squareup.moshi.JsonEncodingException
 import io.ktor.application.Application
 import io.ktor.application.call
 import io.ktor.application.install
 import io.ktor.auth.Authentication
+import io.ktor.auth.authenticate
 import io.ktor.auth.jwt.JWTPrincipal
 import io.ktor.auth.jwt.jwt
 import io.ktor.features.CallId
@@ -30,6 +32,7 @@ import io.micrometer.prometheus.PrometheusConfig
 import io.micrometer.prometheus.PrometheusMeterRegistry
 import io.prometheus.client.CollectorRegistry
 import mu.KotlinLogging
+import no.nav.dagpenger.inntekt.Config.application
 import no.nav.dagpenger.inntekt.db.IllegalInntektIdException
 import no.nav.dagpenger.inntekt.db.InntektNotFoundException
 import no.nav.dagpenger.inntekt.db.InntektStore
@@ -51,9 +54,9 @@ import java.util.concurrent.atomic.AtomicLong
 
 private val LOGGER = KotlinLogging.logger {}
 private val sikkerLogg = KotlinLogging.logger("tjenestekall")
-private val config = Configuration()
 
 fun Application.inntektApi(
+    config: Configuration = Config.config,
     inntektskomponentHttpClient: InntektskomponentClient,
     inntektStore: InntektStore,
     behandlingsInntektsGetter: BehandlingsInntektsGetter,
@@ -71,7 +74,7 @@ fun Application.inntektApi(
     }
 
     install(Authentication) {
-        apiKeyAuth {
+        apiKeyAuth("apikey") {
             apiKeyName = "X-API-KEY"
             validate { apikeyCredential: ApiKeyCredential ->
                 when {
@@ -96,6 +99,10 @@ fun Application.inntektApi(
                 return@validate JWTPrincipal(credentials.payload)
             }
         }
+
+        jwt("azure") {
+            azureAdJWT(config)
+        }
     }
 
     install(StatusPages) {
@@ -209,12 +216,21 @@ fun Application.inntektApi(
     routing {
         route("/v1") {
             route("/inntekt") {
-                inntekt(behandlingsInntektsGetter)
+                authenticate("apikey") {
+                    inntekt(behandlingsInntektsGetter)
+                }
                 uklassifisertInntekt(inntektskomponentHttpClient, inntektStore, personOppslag)
             }
             opptjeningsperiodeApi(inntektStore)
             enhetsregisteret(enhetsregisterClient)
         }
+        route("v2") {
+            route("/inntekt") {
+                authenticate("azure") {
+                    inntekt(behandlingsInntektsGetter)
+                }
+            }
+        }
         naischecks(healthChecks)
     }
 }