Merge pull request #68 from navikt/dev

[PROD][OPP-1521] Fjerne bruk av ISSO fra modia-robot-api

Author: abrhanav

.editorconfig

@@ -1,3 +1,3 @@
 [*.kt]
-disabled_rules=no-wildcard-imports,filename
+ktlint_disabled_rules=no-wildcard-imports,filename
 ij_kotlin_allow_trailing_comma=true

.github/workflows/main.yml

@@ -22,7 +22,7 @@ jobs:
       - name: Install ktlint
         uses: nbadal/action-ktlint-setup@v1
         with:
-          ktlint_version: '0.46.1'
+          ktlint_version: '0.47.1'
       - name: Ktlint
         run: ktlint src/**/*.kt
         shell: bash

.nais/preprod.yml

@@ -9,6 +9,10 @@ spec:
   image: {{image}}
   port: 7070
   webproxy: true
+  accessPolicy:
+    inbound:
+      rules:
+        - application: modiapersonoversikt-api-q1
   liveness:
     path: /internal/isAlive
     initialDelay: 20
@@ -57,11 +61,9 @@ spec:
         mountPath: /var/run/secrets/nais.io/vault
   env:
     - name: IDENT_ALLOW_LIST
-      value: "R154727,R156418,R158345,R158346,R160569,R165950,R165951,R165952,R150818,R150819,R155645,R162552,Z994123,Z990351,Z992779,Z990949,Z990467,Z991629"
+      value: "R154727,R156418,R158345,R158346,R160569,R165950,R165951,R165952,R150818,R150819,R155645,R162552,Z994123,Z990351,Z992779,Z990949,Z990467,Z991629,Z990237,Z994673"
     - name: SECURITYTOKENSERVICE_URL
       value: "https://sts-q1.preprod.local/SecurityTokenServiceProvider/"
-    - name: ISSO_JWKS_URL
-      value: "https://isso-q.adeo.no/isso/oauth2/connect/jwk_uri"
     - name: OPPFOLGING_URL
       value: "https://veilarboppfolging.dev.intern.nav.no/veilarboppfolging/api"
     - name: OPPFOLGING_SCOPE

.nais/prod.yml

@@ -60,8 +60,6 @@ spec:
       value: "R154727,R156418,R158345,R158346,R160569,R165950,R165951,R165952,R150818,R150819,R155645,R162552,D159483,U143410"
     - name: SECURITYTOKENSERVICE_URL
       value: "https://sts.adeo.no/SecurityTokenServiceProvider/"
-    - name: ISSO_JWKS_URL
-      value: "https://isso.adeo.no/isso/oauth2/connect/jwk_uri"
     - name: OPPFOLGING_URL
       value: "https://veilarboppfolging.intern.nav.no/veilarboppfolging/api"
     - name: OPPFOLGING_SCOPE

src/main/kotlin/no/nav/Consumers.kt

@@ -12,13 +12,15 @@ import no.nav.common.client.nom.NomClient
 import no.nav.common.cxf.StsConfig
 import no.nav.common.token_client.builder.AzureAdTokenClientBuilder
 import no.nav.common.token_client.client.MachineToMachineTokenClient
+import no.nav.common.token_client.client.OnBehalfOfTokenClient
 import no.nav.common.utils.NaisUtils
 import no.nav.tjeneste.virksomhet.person.v3.binding.PersonV3
 import no.nav.utils.CXFClient
 import no.nav.utils.bindTo
 
 interface Consumers {
     val tokenclient: MachineToMachineTokenClient
+    val oboTokenClient: OnBehalfOfTokenClient
     val oppfolgingClient: OppfolgingClient
     val tps: PersonV3
     val nom: NomClient
@@ -39,21 +41,26 @@ class ConsumersImpl(env: Env) : Consumers {
         .password(modiaUser.password)
         .build()
 
+    override val oboTokenClient: OnBehalfOfTokenClient = AzureAdTokenClientBuilder
+        .builder()
+        .withNaisDefaults()
+        .buildOnBehalfOfTokenClient()
+
     override val tokenclient: MachineToMachineTokenClient = AzureAdTokenClientBuilder
         .builder()
         .withNaisDefaults()
         .buildMachineToMachineTokenClient()
 
-    override val oppfolgingClient: OppfolgingClient = OppfolgingClient(env.oppfolgingUrl, tokenclient.bindTo(env.oppfolgingScope))
+    override val oppfolgingClient: OppfolgingClient = OppfolgingClient(env.oppfolgingUrl, oboTokenClient.bindTo(env.oppfolgingScope))
     override val tps: PersonV3 = CXFClient<PersonV3>()
         .address(env.tpsPersonV3Url)
         .configureStsForSystemUser(stsConfig)
         .build()
     override val nom: NomClient = Nom(env.nomUrl, tokenclient.bindTo(env.nomScope)).client
     override val skrivestotteClient: SkrivestotteClient = SkrivestotteClient(env.skrivestotteUrl)
-    override val pdlClient: PdlClient = PdlClient(env.pdlUrl, tokenclient.bindTo(env.pdlScope))
-    override val safClient: SafClient = SafClient(env.safUrl, tokenclient.bindTo(env.safScope))
-    override val digdirClient: DigdirClient = DigdirClient(env.digdirUrl, tokenclient.bindTo(env.digdirScope))
-    override val utbetalingerClient: UtbetalingerClient = UtbetalingerClient(env.utbetalingSokosUrl, tokenclient.bindTo(env.utbetalingSokosScope))
-    override val sfClient: SFClient = SFClient(env.sfUrl, tokenclient.bindTo(env.sfScope))
+    override val pdlClient: PdlClient = PdlClient(env.pdlUrl, oboTokenClient.bindTo(env.pdlScope))
+    override val safClient: SafClient = SafClient(env.safUrl, oboTokenClient.bindTo(env.safScope))
+    override val digdirClient: DigdirClient = DigdirClient(env.digdirUrl, tokenclient.bindTo(env.digdirScope), oboTokenClient.bindTo(env.digdirScope))
+    override val utbetalingerClient: UtbetalingerClient = UtbetalingerClient(env.utbetalingSokosUrl, oboTokenClient.bindTo(env.utbetalingSokosScope))
+    override val sfClient: SFClient = SFClient(env.sfUrl, oboTokenClient.bindTo(env.sfScope))
 }

src/main/kotlin/no/nav/Env.kt

@@ -31,7 +31,7 @@ interface Env {
 
 class EnvImpl : Env {
     override val soapStsUrl: String = getRequiredConfig("SECURITYTOKENSERVICE_URL")
-    override val jwksUrl: String = getRequiredConfig("ISSO_JWKS_URL")
+    override val jwksUrl: String = getRequiredConfig("AZURE_OPENID_CONFIG_JWKS_URI")
     override val tpsPersonV3Url: String = getRequiredConfig("TPS_PERSONV3_URL")
     override val oppfolgingUrl: String = getRequiredConfig("OPPFOLGING_URL")
     override val oppfolgingScope: DownstreamApi = getRequiredConfig("OPPFOLGING_SCOPE").toDownstreamApi()

src/main/kotlin/no/nav/api/dialog/DialogRoutes.kt

@@ -5,44 +5,48 @@ import io.bkbn.kompendium.core.metadata.RequestInfo
 import io.bkbn.kompendium.core.metadata.ResponseInfo
 import io.bkbn.kompendium.core.metadata.method.PostInfo
 import io.ktor.application.*
-import io.ktor.auth.*
-import io.ktor.auth.jwt.*
 import io.ktor.http.*
 import io.ktor.request.*
 import io.ktor.response.*
 import io.ktor.routing.*
 import no.nav.api.CommonModels
 import no.nav.api.dialog.DialogService.*
 import no.nav.plugins.securityScheme
+import no.nav.utils.getJWT
+import no.nav.utils.getJWTPrincipalSubject
 
 fun Route.configureDialogRoutes(
     dialogService: DialogService,
 ) {
     route("dialog/{fnr}") {
         route("sendinfomelding") {
             notarizedPost(Api.sendInfomelding) {
+                val payload = call.getJWT()
                 val fnr = requireNotNull(call.parameters["fnr"])
                 val request: MeldingRequest = call.receive()
-                val ident = checkNotNull(call.principal<JWTPrincipal>()?.subject) { "Could not extract subject from token" }
+                val ident = call.getJWTPrincipalSubject()
                 call.respond(
                     dialogService.sendInfomelding(
                         fnr,
                         request,
-                        ident
+                        ident,
+                        payload
                     )
                 )
             }
         }
         route("sendsporsmal") {
             notarizedPost(Api.sendSporsmal) {
+                val payload = call.getJWT()
                 val fnr = requireNotNull(call.parameters["fnr"])
                 val request: MeldingRequest = call.receive()
-                val ident = checkNotNull(call.principal<JWTPrincipal>()?.subject) { "Could not extract subject from token" }
+                val ident = call.getJWTPrincipalSubject()
                 call.respond(
                     dialogService.sendSporsmal(
                         fnr,
                         request,
-                        ident
+                        ident,
+                        payload
                     )
                 )
             }

src/main/kotlin/no/nav/api/dialog/DialogService.kt

@@ -42,48 +42,48 @@ class DialogService(
         val kjedeId: String,
     )
 
-    suspend fun sendSporsmal(fnr: String, request: MeldingRequest, ident: String): Response {
-        val sfMeldingRequest = lagSfMeldingRequest(fnr, request)
-        val sak = safService.hentBrukersSaker(fnr).firstOrNull { it.tema?.name == request.tema }
-        val nyHenvendelse = sfService.sendSporsmal(sfMeldingRequest, ident)
+    suspend fun sendSporsmal(fnr: String, request: MeldingRequest, ident: String, token: String): Response {
+        val sfMeldingRequest = lagSfMeldingRequest(fnr, request, token)
+        val sak = safService.hentBrukersSaker(fnr, token).firstOrNull { it.tema?.name == request.tema }
+        val nyHenvendelse = sfService.sendSporsmal(sfMeldingRequest, ident, token)
         val journalforRequest = JournalforRequest(
             journalforendeEnhet = request.enhet,
             fagsakId = sak?.fagsakId,
             fagsaksystem = if (sak?.fagsakId != null) sak.fagsaksystem else null,
             temakode = request.tema,
             kjedeId = nyHenvendelse.kjedeId
         )
-        sfService.journalforMelding(journalforRequest, ident)
+        sfService.journalforMelding(journalforRequest, ident, token)
         return Response(nyHenvendelse.kjedeId)
     }
 
-    suspend fun sendInfomelding(fnr: String, request: MeldingRequest, ident: String): Response {
-        val sfMeldingRequest = lagSfMeldingRequest(fnr, request)
-        val sak = safService.hentBrukersSaker(fnr).firstOrNull { it.tema?.name == request.tema }
-        val nyHenvendelse = sfService.sendInfomelding(sfMeldingRequest, ident)
+    suspend fun sendInfomelding(fnr: String, request: MeldingRequest, ident: String, token: String): Response {
+        val sfMeldingRequest = lagSfMeldingRequest(fnr, request, token)
+        val sak = safService.hentBrukersSaker(fnr, token).firstOrNull { it.tema?.name == request.tema }
+        val nyHenvendelse = sfService.sendInfomelding(sfMeldingRequest, ident, token)
         val journalforRequest = JournalforRequest(
             journalforendeEnhet = request.enhet,
             fagsakId = sak?.fagsakId,
             fagsaksystem = if (sak?.fagsakId != null) sak.fagsaksystem else null,
             temakode = request.tema,
             kjedeId = nyHenvendelse.kjedeId
         )
-        sfService.lukkTraad(nyHenvendelse.kjedeId)
-        sfService.journalforMelding(journalforRequest, ident)
+        sfService.lukkTraad(nyHenvendelse.kjedeId, token)
+        sfService.journalforMelding(journalforRequest, ident, token)
         return Response(nyHenvendelse.kjedeId)
     }
 
-    private suspend fun lagSfMeldingRequest(fnr: String, request: MeldingRequest) = SfMeldingRequest(
-        aktorId = pdlService.hentAktorid(fnr),
+    private suspend fun lagSfMeldingRequest(fnr: String, request: MeldingRequest, token: String) = SfMeldingRequest(
+        aktorId = pdlService.hentAktorid(fnr, token),
         temagruppe = hentTemagruppeForTema(request.tema),
         enhet = request.enhet,
-        fritekst = parseFritekst(fnr, request.tekst),
+        fritekst = parseFritekst(fnr, request.tekst, token),
         tema = request.tema,
         tildelMeg = false
     )
 
-    suspend fun parseFritekst(fnr: String, tekst: String): String {
-        val navn = pdlService.hentNavn(fnr)
+    suspend fun parseFritekst(fnr: String, tekst: String, token: String): String {
+        val navn = pdlService.hentNavn(fnr, token)
         return tekst
             .replace("[bruker.fornavn]", navn.fornavn)
             .replace("[bruker.etternavn]", navn.etternavn)

src/main/kotlin/no/nav/api/dialog/saf/SafClient.kt

@@ -13,7 +13,7 @@ import java.net.URL
 
 class SafClient(
     private val safUrl: String,
-    private val tokenclient: BoundedMachineToMachineTokenClient,
+    private val oboTokenProvider: BoundedOnBehalfOfTokenClient,
     httpEngine: HttpClientEngine = OkHttp.create(),
 ) {
     private val graphqlClient = LoggingGraphQLKtorClient(
@@ -23,7 +23,7 @@ class SafClient(
         httpClient = HttpClient(httpEngine)
     )
 
-    suspend fun hentBrukersSaker(fnr: String): GraphQLClientResponse<HentBrukerssaker.Result> {
+    suspend fun hentBrukersSaker(fnr: String, token: String): GraphQLClientResponse<HentBrukerssaker.Result> {
         return externalServiceCall {
             graphqlClient.execute(
                 request = HentBrukerssaker(
@@ -35,8 +35,8 @@ class SafClient(
                     )
                 ),
                 requestCustomizer = {
-                    val token = tokenclient.createMachineToMachineToken()
-                    header("Authorization", "Bearer $token")
+                    val oboToken = oboTokenProvider.exchangeOnBehalfOfToken(token)
+                    header("Authorization", "Bearer $oboToken")
                     header("X-Correlation-ID", getCallId())
                 }
             )

src/main/kotlin/no/nav/api/dialog/saf/SafService.kt

@@ -5,9 +5,9 @@ import no.nav.api.generated.saf.hentbrukerssaker.Sak
 class SafService(
     private val safClient: SafClient,
 ) {
-    suspend fun hentBrukersSaker(fnr: String): List<Sak> {
+    suspend fun hentBrukersSaker(fnr: String, token: String): List<Sak> {
         return safClient
-            .hentBrukersSaker(fnr)
+            .hentBrukersSaker(fnr, token)
             .data
             ?.saker
             ?.filterNotNull()