diff --git a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/BeskyttetRessursInterceptor.java b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/BeskyttetRessursInterceptor.java index f16785cfb..51317cb03 100644 --- a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/BeskyttetRessursInterceptor.java +++ b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/BeskyttetRessursInterceptor.java @@ -60,19 +60,15 @@ private Object ikkeTilgang(AbacResultat abacResultat) { private BeskyttetRessursAttributter hentBeskyttetRessursAttributter(Method method, Class mClass, AbacDataAttributter dataAttributter) { var beskyttetRessurs = method.getAnnotation(BeskyttetRessurs.class); - var token = Token.withOidcToken(tokenProvider.openIdToken()); - return BeskyttetRessursAttributter.builder() .medBrukerId(tokenProvider.getUid()) .medBrukerOid(tokenProvider.getOid()) .medIdentType(tokenProvider.getIdentType()) .medAnsattGrupper(tokenProvider.getAnsattGrupper()) - .medToken(token) .medActionType(beskyttetRessurs.actionType()) .medAvailabilityType(beskyttetRessurs.availabilityType()) .medResourceType(finnResource(beskyttetRessurs)) .medSporingslogg(beskyttetRessurs.sporingslogg()) - .medPepId(pep.pepId()) .medServicePath(utledAction(mClass, method)) .medDataAttributter(dataAttributter) .build(); diff --git a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/PdpKlient.java b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/PdpKlient.java deleted file mode 100644 index 1a8c7a7bd..000000000 --- a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/PdpKlient.java +++ /dev/null @@ -1,10 +0,0 @@ -package no.nav.vedtak.sikkerhet.abac; - -import no.nav.vedtak.sikkerhet.abac.internal.BeskyttetRessursAttributter; -import no.nav.vedtak.sikkerhet.abac.pdp.AppRessursData; - -public interface PdpKlient { - - Tilgangsbeslutning forespørTilgang(BeskyttetRessursAttributter beskyttetRessursAttributter, String domene, AppRessursData appRessursData); - -} diff --git a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/Pep.java b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/Pep.java index d28b46830..9e346835e 100644 --- a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/Pep.java +++ b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/Pep.java @@ -1,13 +1,9 @@ package no.nav.vedtak.sikkerhet.abac; -import no.nav.foreldrepenger.konfig.Environment; import no.nav.vedtak.sikkerhet.abac.internal.BeskyttetRessursAttributter; public interface Pep { AbacResultat vurderTilgang(BeskyttetRessursAttributter beskyttetRessursAttributter); - default String pepId() { - return Environment.current().getNaisAppName(); - } } diff --git a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/Token.java b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/Token.java deleted file mode 100644 index d8ce03353..000000000 --- a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/Token.java +++ /dev/null @@ -1,70 +0,0 @@ -package no.nav.vedtak.sikkerhet.abac; - -import java.util.Optional; - -import org.jose4j.jws.JsonWebSignature; -import org.jose4j.jwt.consumer.InvalidJwtException; -import org.jose4j.jwt.consumer.JwtConsumer; -import org.jose4j.jwt.consumer.JwtConsumerBuilder; - -import no.nav.vedtak.exception.TekniskException; -import no.nav.vedtak.sikkerhet.oidc.config.OpenIDProvider; -import no.nav.vedtak.sikkerhet.oidc.token.OpenIDToken; - -public class Token { - - private static final JwtConsumer unvalidatingConsumer = new JwtConsumerBuilder().setSkipAllValidators() - .setDisableRequireSignature() - .setSkipSignatureVerification() - .build(); - - public enum TokenType { - OIDC, - TOKENX; - } - - private final TokenType tokenType; - private final OpenIDToken openIDToken; - private Token(TokenType tokenType, OpenIDToken openIDToken) { - this.tokenType = tokenType; - this.openIDToken = openIDToken; - } - - public static Token withOidcToken(OpenIDToken token) { - return new Token(utledTokenType(token), token); - } - - public TokenType getTokenType() { - return tokenType; - } - - public OpenIDProvider getOpenIDProvider() { - return Optional.ofNullable(openIDToken).map(OpenIDToken::provider).orElse(null); - } - - private static TokenType utledTokenType(OpenIDToken token) { - return switch (token.provider()) { - case AZUREAD -> TokenType.OIDC; - case TOKENX -> TokenType.TOKENX; - }; - } - - public String getTokenBody() { - return tokenPayloadBase64(openIDToken); - } - - @Override - public String toString() { - return getClass().getSimpleName() + " [token=MASKERT, tokenType=" + tokenType + "]"; - } - - public static String tokenPayloadBase64(OpenIDToken token) { - try { - var jsonObjects = unvalidatingConsumer.process(token.token()).getJoseObjects(); - var jwtBody = ((JsonWebSignature) jsonObjects.get(0)).getUnverifiedPayloadBytes(); - return org.jose4j.base64url.Base64.encode(jwtBody); - } catch (InvalidJwtException e) { - throw new TekniskException("F-026969", "Feil ved parsing av JWT", e); - } - } -} diff --git a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/beskyttet/ActionType.java b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/beskyttet/ActionType.java index dbcc55b4d..202d649cd 100644 --- a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/beskyttet/ActionType.java +++ b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/beskyttet/ActionType.java @@ -1,23 +1,14 @@ package no.nav.vedtak.sikkerhet.abac.beskyttet; public enum ActionType { - READ("read"), - UPDATE("update"), - CREATE("create"), - DELETE("delete"), + READ, + UPDATE, + CREATE, + DELETE, /** * Skal kun brukes av Interceptor */ - DUMMY(null); + DUMMY; - private String eksternKode; - - ActionType(String eksternKode) { - this.eksternKode = eksternKode; - } - - public String getEksternKode() { - return eksternKode; - } } diff --git a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/beskyttet/ResourceType.java b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/beskyttet/ResourceType.java index 3d2700556..3edff1405 100644 --- a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/beskyttet/ResourceType.java +++ b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/beskyttet/ResourceType.java @@ -1,44 +1,25 @@ package no.nav.vedtak.sikkerhet.abac.beskyttet; -import static no.nav.vedtak.sikkerhet.abac.policy.ForeldrepengerAttributter.RESOURCE_TYPE_FP_APPLIKASJON; -import static no.nav.vedtak.sikkerhet.abac.policy.ForeldrepengerAttributter.RESOURCE_TYPE_FP_AVDELINGENHET; -import static no.nav.vedtak.sikkerhet.abac.policy.ForeldrepengerAttributter.RESOURCE_TYPE_FP_DRIFT; -import static no.nav.vedtak.sikkerhet.abac.policy.ForeldrepengerAttributter.RESOURCE_TYPE_FP_FAGSAK; -import static no.nav.vedtak.sikkerhet.abac.policy.ForeldrepengerAttributter.RESOURCE_TYPE_FP_OPPGAVESTYRING; -import static no.nav.vedtak.sikkerhet.abac.policy.ForeldrepengerAttributter.RESOURCE_TYPE_FP_UTTAKSPLAN; -import static no.nav.vedtak.sikkerhet.abac.policy.ForeldrepengerAttributter.RESOURCE_TYPE_FP_VENTEFRIST; -import static no.nav.vedtak.sikkerhet.abac.policy.ForeldrepengerAttributter.RESOURCE_TYPE_INTERNAL_PIP; - public enum ResourceType { // Til bruk i annotering - APPLIKASJON(RESOURCE_TYPE_FP_APPLIKASJON), - DRIFT(RESOURCE_TYPE_FP_DRIFT), - FAGSAK(RESOURCE_TYPE_FP_FAGSAK), - VENTEFRIST(RESOURCE_TYPE_FP_VENTEFRIST), + APPLIKASJON, + DRIFT, + FAGSAK, + VENTEFRIST, // LOS - OPPGAVESTYRING_AVDELINGENHET(RESOURCE_TYPE_FP_AVDELINGENHET), - OPPGAVESTYRING(RESOURCE_TYPE_FP_OPPGAVESTYRING), - // OPPGAVEKØ(RESOURCE_TYPE_FP_OPPGAVEKØ), TODO: Vurder om skal brukes for å lese oppgaver for LOS. Nå brukes FAGSAK + OPPGAVESTYRING_AVDELINGENHET, + OPPGAVESTYRING, + // OPPGAVEKØ, TODO: Vurder om skal brukes for å lese oppgaver for LOS. Nå brukes FAGSAK // Selvbetjening - UTTAKSPLAN(RESOURCE_TYPE_FP_UTTAKSPLAN), + UTTAKSPLAN, // Til bruk i annotering for endepunkt som er PIP-tjenester - PIP(RESOURCE_TYPE_INTERNAL_PIP), + PIP, /** * Skal kun brukes av Interceptor */ - DUMMY(""); - - private final String resourceTypeAttribute; - - ResourceType(String resourceTypeAttribute) { - this.resourceTypeAttribute = resourceTypeAttribute; - } - - public String getResourceTypeAttribute() { - return this != DUMMY ? resourceTypeAttribute : null; - } + DUMMY } diff --git a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/internal/BeskyttetRessursAttributter.java b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/internal/BeskyttetRessursAttributter.java index b05f2aab2..1d184105d 100644 --- a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/internal/BeskyttetRessursAttributter.java +++ b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/internal/BeskyttetRessursAttributter.java @@ -6,7 +6,6 @@ import java.util.UUID; import no.nav.vedtak.sikkerhet.abac.AbacDataAttributter; -import no.nav.vedtak.sikkerhet.abac.Token; import no.nav.vedtak.sikkerhet.abac.beskyttet.ActionType; import no.nav.vedtak.sikkerhet.abac.beskyttet.AvailabilityType; import no.nav.vedtak.sikkerhet.abac.beskyttet.ResourceType; @@ -23,8 +22,6 @@ public class BeskyttetRessursAttributter { private ActionType actionType; private ResourceType resourceType; private AvailabilityType availabilityType; - private Token token; - private String pepId; private String servicePath; private boolean sporingslogg = true; private AbacDataAttributter dataAttributter; @@ -65,14 +62,6 @@ public boolean isSporingslogg() { return sporingslogg; } - public Token getToken() { - return token; - } - - public String getPepId() { - return pepId; - } - public String getServicePath() { return servicePath; } @@ -84,7 +73,7 @@ public AbacDataAttributter getDataAttributter() { @Override public String toString() { return "BeskyttetRessursAttributter{" + "userId=MASKERT" + ", actionType=" + actionType + ", resourceType=" - + resourceType + ", token=" + token + ", pepId=" + pepId + ", servicePath=" + servicePath + '}'; + + resourceType + ", servicePath=" + servicePath + '}'; } public static class Builder { @@ -114,11 +103,6 @@ public Builder medAnsattGrupper(Set ansattGrupper) { return this; } - public Builder medToken(Token token) { - pdpRequest.token = token; - return this; - } - public Builder medActionType(ActionType actionType) { pdpRequest.actionType = actionType; return this; @@ -139,11 +123,6 @@ public Builder medSporingslogg(boolean sporingslogg) { return this; } - public Builder medPepId(String pepId) { - pdpRequest.pepId = pepId; - return this; - } - public Builder medServicePath(String servicePath) { pdpRequest.servicePath = servicePath; return this; @@ -161,10 +140,9 @@ public BeskyttetRessursAttributter build() { private void validateBeforeBuild() { Objects.requireNonNull(pdpRequest.brukerId, "userId"); - Objects.requireNonNull(pdpRequest.token, "idToken"); Objects.requireNonNull(pdpRequest.actionType, "actionType"); Objects.requireNonNull(pdpRequest.resourceType, "resourceType"); - Objects.requireNonNull(pdpRequest.pepId, "pepId"); + Objects.requireNonNull(pdpRequest.identType, "identType"); Objects.requireNonNull(pdpRequest.servicePath, "servicePath"); Objects.requireNonNull(pdpRequest.dataAttributter, "dataAttributter"); } diff --git a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/policy/ForeldrepengerAttributter.java b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/policy/ForeldrepengerAttributter.java index 7e47310f1..7fb9a340b 100644 --- a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/policy/ForeldrepengerAttributter.java +++ b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/policy/ForeldrepengerAttributter.java @@ -38,24 +38,4 @@ private ForeldrepengerAttributter() { public static final String VALUE_FP_AVDELING_ENHET_ADRESSEBESKYTTET = "2103"; public static final String VALUE_FP_AVDELING_ENHET_SKJERMET = "4883"; - /** - * Attributter brukt som resource_type - * TODO: Behov for AvdelingEnhet og OppgaveStyring? Fjerne risikoklassifisering? - * TODO: OPPGAVEKØ ikke i bruk - vurder FAGSAK vs OPPGAVEKØ + evt bruk som dataattributt (køer på 2103. Mangler policies) - */ - public static final String RESOURCE_TYPE_FP_APPLIKASJON = "no.nav.abac.attributter.foreldrepenger"; - public static final String RESOURCE_TYPE_FP_DRIFT = "no.nav.abac.attributter.foreldrepenger.drift"; - public static final String RESOURCE_TYPE_FP_FAGSAK = "no.nav.abac.attributter.foreldrepenger.fagsak"; - public static final String RESOURCE_TYPE_FP_VENTEFRIST = "no.nav.abac.attributter.foreldrepenger.fagsak.ventefrist"; - public static final String RESOURCE_TYPE_FP_AVDELINGENHET = "no.nav.abac.attributter.foreldrepenger.oppgavestyring.avdelingsenhet"; - // public static final String RESOURCE_TYPE_FP_OPPGAVEKØ = "no.nav.abac.attributter.foreldrepenger.oppgaveko"; TODO: Vurder om skal brukes for å lese oppgaver for LOS. Nå brukes FAGSAK. Evt bruk som dataAttributt. - public static final String RESOURCE_TYPE_FP_OPPGAVESTYRING = "no.nav.abac.attributter.foreldrepenger.oppgavestyring"; - public static final String RESOURCE_TYPE_FP_UTTAKSPLAN = "no.nav.abac.attributter.resource.foreldrepenger.uttaksplan"; - - /** - * Attributter brukt til interne formål - */ - public static final String RESOURCE_TYPE_INTERNAL_PIP = "pip.tjeneste.kan.kun.kalles.av.pdp.servicebruker"; - public static final String RESOURCE_TYPE_INTERNAL_DUMMY = ""; - } diff --git a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/policy/SystemressursPolicies.java b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/policy/SystemressursPolicies.java index 5ff1d18fe..eb6be6fdc 100644 --- a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/policy/SystemressursPolicies.java +++ b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/policy/SystemressursPolicies.java @@ -1,6 +1,7 @@ package no.nav.vedtak.sikkerhet.abac.policy; import java.util.Objects; +import java.util.Optional; import java.util.Set; import no.nav.foreldrepenger.konfig.Cluster; @@ -25,7 +26,8 @@ public class SystemressursPolicies { private static final Environment ENV = Environment.current(); // Format: json array av objekt("name", "clientId"); - private static final String PRE_AUTHORIZED = ENV.getProperty(AzureProperty.AZURE_APP_PRE_AUTHORIZED_APPS.name()); + private static final String PRE_AUTHORIZED = Optional.ofNullable(ENV.getProperty(AzureProperty.AZURE_APP_PRE_AUTHORIZED_APPS.name())) + .orElseGet(() -> ENV.getProperty(AzureProperty.AZURE_APP_PRE_AUTHORIZED_APPS.name().toLowerCase().replace('_', '.'))); private static final Cluster RESIDENT_CLUSTER = ENV.getCluster(); private static final String RESIDENT_NAMESPACE = ENV.namespace(); private static final Set IKKE_TILLATT_RESOURCE_TYPE = Set.of(ResourceType.UTTAKSPLAN); diff --git a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/pdp/PdpConsumer.java b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/pdp/PdpConsumer.java deleted file mode 100644 index f267aa40f..000000000 --- a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/pdp/PdpConsumer.java +++ /dev/null @@ -1,9 +0,0 @@ -package no.nav.vedtak.sikkerhet.pdp; - -import no.nav.vedtak.sikkerhet.pdp.xacml.XacmlRequest; -import no.nav.vedtak.sikkerhet.pdp.xacml.XacmlResponse; - -public interface PdpConsumer { - - XacmlResponse evaluate(XacmlRequest request); -} diff --git a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/pdp/PdpConsumerImpl.java b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/pdp/PdpConsumerImpl.java deleted file mode 100644 index 6eb6f3215..000000000 --- a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/pdp/PdpConsumerImpl.java +++ /dev/null @@ -1,102 +0,0 @@ -package no.nav.vedtak.sikkerhet.pdp; - -import static java.nio.charset.StandardCharsets.UTF_8; - -import java.io.IOException; -import java.net.HttpURLConnection; -import java.net.URI; -import java.net.http.HttpClient; -import java.net.http.HttpRequest; -import java.net.http.HttpResponse; -import java.time.Duration; -import java.util.Base64; - -import jakarta.enterprise.context.ApplicationScoped; -import jakarta.inject.Inject; - -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -import com.fasterxml.jackson.core.JsonProcessingException; -import com.fasterxml.jackson.databind.ObjectReader; - -import no.nav.foreldrepenger.konfig.KonfigVerdi; -import no.nav.vedtak.exception.IntegrasjonException; -import no.nav.vedtak.exception.ManglerTilgangException; -import no.nav.vedtak.mapper.json.DefaultJsonMapper; -import no.nav.vedtak.sikkerhet.kontekst.Systembruker; -import no.nav.vedtak.sikkerhet.pdp.xacml.XacmlRequest; -import no.nav.vedtak.sikkerhet.pdp.xacml.XacmlResponse; - -@ApplicationScoped -public class PdpConsumerImpl implements PdpConsumer { - - private static final String MEDIA_TYPE = "application/xacml+json"; - private static final Logger LOG = LoggerFactory.getLogger(PdpConsumerImpl.class); - - private HttpClient client; - private ObjectReader reader; - - private URI pdpUrl; - private String basicCredentials; - - PdpConsumerImpl() { - } // CDI - - @Inject - public PdpConsumerImpl(@KonfigVerdi(value = "abac.pdp.endpoint.url", defaultVerdi = "http://abac-foreldrepenger.teamabac/application/authorize") String pdpUrl) { - this.pdpUrl = URI.create(pdpUrl); - this.basicCredentials = basicCredentials(Systembruker.username(), Systembruker.password()); - // TODO - vurder om bør settes static final? - this.client = HttpClient.newBuilder().connectTimeout(Duration.ofSeconds(10)).proxy(HttpClient.Builder.NO_PROXY).build(); - this.reader = DefaultJsonMapper.getObjectMapper().readerFor(XacmlResponse.class); - } - - @Override - public XacmlResponse evaluate(XacmlRequest xacmlRequest) { - var request = HttpRequest.newBuilder() - .header("Authorization", basicCredentials) - .header("Content-type", MEDIA_TYPE) - .timeout(Duration.ofSeconds(5)) - .uri(pdpUrl) - .POST(HttpRequest.BodyPublishers.ofString(DefaultJsonMapper.toJson(xacmlRequest), UTF_8)) - .build(); - - // Enkel retry - int i = 2; - while (i-- > 0) { - try { - return send(request); - } catch (IntegrasjonException e) { - LOG.trace("F-157387 IntegrasjonException ved kall {} til PDP", 2 - i, e); - } - } - return send(request); - } - - private XacmlResponse send(HttpRequest request) { - try { - var response = client.send(request, HttpResponse.BodyHandlers.ofString(UTF_8)); - if (response != null && response.statusCode() == HttpURLConnection.HTTP_UNAUTHORIZED) { - throw new ManglerTilgangException("F-157388", "Ingen tilgang fra PDP"); - } - if (response == null || response.body() == null) { - LOG.info("ingen response fra PDP status = {}", response == null ? "null" : response.statusCode()); - throw new IntegrasjonException("F-157386", "Kunne ikke hente svar fra PDP"); - } - return reader.readValue(response.body(), XacmlResponse.class); - } catch (JsonProcessingException e) { - throw new IntegrasjonException("F-208314", "Kunne ikke deserialisere objekt til JSON", e); - } catch (IOException e) { - throw new IntegrasjonException("F-091324", "Uventet IO-exception mot PDP", e); - } catch (InterruptedException e) { - Thread.currentThread().interrupt(); - throw new IntegrasjonException("F-432938", "InterruptedException ved kall mot PDP", e); - } - } - - private static String basicCredentials(String username, String password) { - return "Basic " + Base64.getEncoder().encodeToString(String.format("%s:%s", username, password).getBytes(UTF_8)); - } - -} diff --git a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/pdp/PdpKlientImpl.java b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/pdp/PdpKlientImpl.java deleted file mode 100644 index 34ab726f4..000000000 --- a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/pdp/PdpKlientImpl.java +++ /dev/null @@ -1,92 +0,0 @@ -package no.nav.vedtak.sikkerhet.pdp; - -import java.util.List; - -import jakarta.enterprise.context.Dependent; -import jakarta.inject.Inject; - -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -import no.nav.vedtak.exception.TekniskException; -import no.nav.vedtak.log.util.LoggerUtils; -import no.nav.vedtak.sikkerhet.abac.AbacResultat; -import no.nav.vedtak.sikkerhet.abac.PdpKlient; -import no.nav.vedtak.sikkerhet.abac.Tilgangsbeslutning; -import no.nav.vedtak.sikkerhet.abac.internal.BeskyttetRessursAttributter; -import no.nav.vedtak.sikkerhet.abac.pdp.AppRessursData; -import no.nav.vedtak.sikkerhet.pdp.xacml.Advice; -import no.nav.vedtak.sikkerhet.pdp.xacml.Decision; -import no.nav.vedtak.sikkerhet.pdp.xacml.XacmlResponse; -import no.nav.vedtak.sikkerhet.pdp.xacml.XacmlResponseMapper; - -@Dependent -public class PdpKlientImpl implements PdpKlient { - - private static final Logger LOG = LoggerFactory.getLogger(PdpKlientImpl.class); - - private final PdpConsumer pdp; - - @Inject - public PdpKlientImpl(PdpConsumer pdp) { - this.pdp = pdp; - } - - @Override - public Tilgangsbeslutning forespørTilgang(BeskyttetRessursAttributter beskyttetRessursAttributter, String domene, AppRessursData appRessursData) { - var request = XacmlRequestMapper.lagXacmlRequest(beskyttetRessursAttributter, domene, appRessursData); - var response = pdp.evaluate(request); - var hovedresultat = resultatFraResponse(response); - return new Tilgangsbeslutning(hovedresultat, beskyttetRessursAttributter, appRessursData); - } - - private static AbacResultat resultatFraResponse(XacmlResponse response) { - var decisions = XacmlResponseMapper.getDecisions(response); - - for (var decision : decisions) { - if (decision == Decision.Indeterminate) { - throw new TekniskException("F-080281", - String.format("Decision %s fra PDP, dette skal aldri skje. Full JSON response: %s", decision, response)); - } - } - - var biasedDecision = createAggregatedDecision(decisions); - handlObligation(response); - - if (biasedDecision == Decision.Permit) { - return AbacResultat.GODKJENT; - } - - var denyAdvice = XacmlResponseMapper.getAdvice(response); - - if (LOG.isDebugEnabled()) { - LOG.debug("Deny fra PDP, advice var: {}", LoggerUtils.toStringWithoutLineBreaks(denyAdvice)); - } - if (denyAdvice.contains(Advice.DENY_KODE_6)) { - return AbacResultat.AVSLÅTT_KODE_6; - } - if (denyAdvice.contains(Advice.DENY_KODE_7)) { - return AbacResultat.AVSLÅTT_KODE_7; - } - if (denyAdvice.contains(Advice.DENY_EGEN_ANSATT)) { - return AbacResultat.AVSLÅTT_EGEN_ANSATT; - } - return AbacResultat.AVSLÅTT_ANNEN_ÅRSAK; - } - - private static Decision createAggregatedDecision(List decisions) { - for (var decision : decisions) { - if (decision != Decision.Permit) { - return Decision.Deny; - } - } - return Decision.Permit; - } - - private static void handlObligation(XacmlResponse response) { - var obligations = XacmlResponseMapper.getObligations(response); - if (!obligations.isEmpty()) { - throw new TekniskException("F-576027", String.format("Mottok ukjente obligations fra PDP: %s", obligations)); - } - } -} diff --git a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/pdp/XacmlRequestMapper.java b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/pdp/XacmlRequestMapper.java deleted file mode 100644 index a61a5179b..000000000 --- a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/pdp/XacmlRequestMapper.java +++ /dev/null @@ -1,105 +0,0 @@ -package no.nav.vedtak.sikkerhet.pdp; - -import java.util.ArrayList; -import java.util.HashMap; -import java.util.List; -import java.util.Map; -import java.util.Optional; - -import no.nav.foreldrepenger.konfig.Environment; -import no.nav.vedtak.sikkerhet.abac.internal.BeskyttetRessursAttributter; -import no.nav.vedtak.sikkerhet.abac.pdp.AppRessursData; -import no.nav.vedtak.sikkerhet.pdp.xacml.Category; -import no.nav.vedtak.sikkerhet.pdp.xacml.NavFellesAttributter; -import no.nav.vedtak.sikkerhet.pdp.xacml.XacmlRequest; - -public class XacmlRequestMapper { - - private static final Environment ENV = Environment.current(); - - public static XacmlRequest lagXacmlRequest(BeskyttetRessursAttributter beskyttetRessursAttributter, - String domene, - AppRessursData appRessursData) { - var actionAttributes = new XacmlRequest.Attributes(List.of(actionInfo(beskyttetRessursAttributter))); - - List envList = new ArrayList<>(); - envList.add(getPepIdInfo(beskyttetRessursAttributter)); - envList.addAll(getTokenEnvironmentAttrs(beskyttetRessursAttributter)); - - var envAttributes = new XacmlRequest.Attributes(envList); - - List resourceAttributes = new ArrayList<>(); - var identer = hentIdenter(appRessursData); - if (identer.isEmpty()) { - resourceAttributes.add(resourceInfo(beskyttetRessursAttributter, domene, appRessursData, null)); - } else { - identer.forEach(ident -> resourceAttributes.add(resourceInfo(beskyttetRessursAttributter, domene, appRessursData, ident))); - } - - Map> requestMap = new HashMap<>(); - requestMap.put(Category.Action, List.of(actionAttributes)); - requestMap.put(Category.Environment, List.of(envAttributes)); - requestMap.put(Category.Resource, resourceAttributes); - return new XacmlRequest(requestMap); - } - - private static XacmlRequest.Attributes resourceInfo(BeskyttetRessursAttributter beskyttetRessursAttributter, - String domene, - AppRessursData appRessursData, - Ident ident) { - List attributes = new ArrayList<>(); - - attributes.add(new XacmlRequest.AttributeAssignment(NavFellesAttributter.RESOURCE_FELLES_DOMENE, domene)); - attributes.add( - new XacmlRequest.AttributeAssignment(NavFellesAttributter.RESOURCE_FELLES_RESOURCE_TYPE, beskyttetRessursAttributter.getResourceType().getResourceTypeAttribute())); - - appRessursData.getResources() - .values() - .stream() - .map(ressursData -> new XacmlRequest.AttributeAssignment(ressursData.nøkkel().getKey(), ressursData.verdi())) - .forEach(attributes::add); - - if (ident != null) { - attributes.add(new XacmlRequest.AttributeAssignment(ident.key(), ident.ident())); - } - return new XacmlRequest.Attributes(attributes); - } - - private static XacmlRequest.AttributeAssignment actionInfo(final BeskyttetRessursAttributter beskyttetRessursAttributter) { - return new XacmlRequest.AttributeAssignment(NavFellesAttributter.XACML10_ACTION_ID, - beskyttetRessursAttributter.getActionType().getEksternKode()); - } - - private static XacmlRequest.AttributeAssignment getPepIdInfo(final BeskyttetRessursAttributter beskyttetRessursAttributter) { - return new XacmlRequest.AttributeAssignment(NavFellesAttributter.ENVIRONMENT_FELLES_PEP_ID, - Optional.ofNullable(beskyttetRessursAttributter.getPepId()).orElse(getPepId())); - } - - private static List getTokenEnvironmentAttrs(final BeskyttetRessursAttributter beskyttetRessursAttributter) { - String envTokenBodyAttributt = switch (beskyttetRessursAttributter.getToken().getTokenType()) { - case OIDC -> NavFellesAttributter.ENVIRONMENT_FELLES_OIDC_TOKEN_BODY; - case TOKENX -> NavFellesAttributter.ENVIRONMENT_FELLES_TOKENX_TOKEN_BODY; - }; - var assignement = new XacmlRequest.AttributeAssignment(envTokenBodyAttributt, beskyttetRessursAttributter.getToken().getTokenBody()); - return List.of(assignement); - } - - private static String getPepId() { - return ENV.getNaisAppName(); - } - - private static List hentIdenter(AppRessursData appRessursData) { - List identer = new ArrayList<>(); - appRessursData.getAktørIdSet() - .stream() - .map(it -> new Ident(NavFellesAttributter.RESOURCE_FELLES_PERSON_AKTOERID_RESOURCE, it)) - .forEach(identer::add); - - appRessursData.getFødselsnumre().stream().map(it -> new Ident(NavFellesAttributter.RESOURCE_FELLES_PERSON_FNR, it)).forEach(identer::add); - - return identer; - } - - public record Ident(String key, String ident) { - } -} diff --git a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/pdp/xacml/Advice.java b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/pdp/xacml/Advice.java deleted file mode 100644 index 37469ec18..000000000 --- a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/pdp/xacml/Advice.java +++ /dev/null @@ -1,8 +0,0 @@ -package no.nav.vedtak.sikkerhet.pdp.xacml; - -public enum Advice { - DENY_KODE_6, - DENY_KODE_7, - DENY_EGEN_ANSATT; - -} diff --git a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/pdp/xacml/Category.java b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/pdp/xacml/Category.java deleted file mode 100644 index 6b96c3f2b..000000000 --- a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/pdp/xacml/Category.java +++ /dev/null @@ -1,12 +0,0 @@ -package no.nav.vedtak.sikkerhet.pdp.xacml; - -public enum Category { - Resource, - Action, - Environment, - AccessSubject, - RecipientSubject, - IntermediarySubject, - Codebase, - RequestingMachine; -} diff --git a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/pdp/xacml/Decision.java b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/pdp/xacml/Decision.java deleted file mode 100644 index 3402e344e..000000000 --- a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/pdp/xacml/Decision.java +++ /dev/null @@ -1,8 +0,0 @@ -package no.nav.vedtak.sikkerhet.pdp.xacml; - -public enum Decision { - Permit, - Deny, - NotApplicable, - Indeterminate; -} diff --git a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/pdp/xacml/NavFellesAttributter.java b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/pdp/xacml/NavFellesAttributter.java deleted file mode 100644 index 7d33fde84..000000000 --- a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/pdp/xacml/NavFellesAttributter.java +++ /dev/null @@ -1,23 +0,0 @@ -package no.nav.vedtak.sikkerhet.pdp.xacml; - -/** - * Inneholder subset av konstanter deklareret i aba-common-attributter modul i - * Nav. - * - * @see abac-common-attributes-alfa / CommonAttributter. - */ -public class NavFellesAttributter { - - public static final String XACML10_ACTION_ID = "urn:oasis:names:tc:xacml:1.0:action:action-id"; - - public static final String ENVIRONMENT_FELLES_TOKENX_TOKEN_BODY = "no.nav.abac.attributter.environment.felles.tokenx_token_body"; - public static final String ENVIRONMENT_FELLES_OIDC_TOKEN_BODY = "no.nav.abac.attributter.environment.felles.oidc_token_body"; - - public static final String ENVIRONMENT_FELLES_PEP_ID = "no.nav.abac.attributter.environment.felles.pep_id"; - - public static final String RESOURCE_FELLES_RESOURCE_TYPE = "no.nav.abac.attributter.resource.felles.resource_type"; - public static final String RESOURCE_FELLES_DOMENE = "no.nav.abac.attributter.resource.felles.domene"; - public static final String RESOURCE_FELLES_PERSON_FNR = "no.nav.abac.attributter.resource.felles.person.fnr"; - public static final String RESOURCE_FELLES_PERSON_AKTOERID_RESOURCE = "no.nav.abac.attributter.resource.felles.person.aktoerId_resource"; - -} diff --git a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/pdp/xacml/XacmlRequest.java b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/pdp/xacml/XacmlRequest.java deleted file mode 100644 index 628f7b893..000000000 --- a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/pdp/xacml/XacmlRequest.java +++ /dev/null @@ -1,18 +0,0 @@ -package no.nav.vedtak.sikkerhet.pdp.xacml; - -import java.util.List; -import java.util.Map; - -import com.fasterxml.jackson.annotation.JsonFormat; -import com.fasterxml.jackson.annotation.JsonProperty; - -public record XacmlRequest( - @JsonFormat(with = JsonFormat.Feature.ACCEPT_SINGLE_VALUE_AS_ARRAY) @JsonProperty("Request") Map> request) { - - public static record Attributes( - @JsonFormat(with = JsonFormat.Feature.ACCEPT_SINGLE_VALUE_AS_ARRAY) @JsonProperty("Attribute") List attribute) { - } - - public static record AttributeAssignment(@JsonProperty("AttributeId") String attributeId, @JsonProperty("Value") Object value) { - } -} diff --git a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/pdp/xacml/XacmlResponse.java b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/pdp/xacml/XacmlResponse.java deleted file mode 100644 index 41638f758..000000000 --- a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/pdp/xacml/XacmlResponse.java +++ /dev/null @@ -1,22 +0,0 @@ -package no.nav.vedtak.sikkerhet.pdp.xacml; - -import java.util.List; - -import com.fasterxml.jackson.annotation.JsonFormat; -import com.fasterxml.jackson.annotation.JsonProperty; - -public record XacmlResponse(@JsonFormat(with = JsonFormat.Feature.ACCEPT_SINGLE_VALUE_AS_ARRAY) @JsonProperty("Response") List response) { - - public static record Result(@JsonProperty("Decision") Decision decision, - @JsonFormat(with = JsonFormat.Feature.ACCEPT_SINGLE_VALUE_AS_ARRAY) @JsonProperty("Obligations") List obligations, - @JsonFormat(with = JsonFormat.Feature.ACCEPT_SINGLE_VALUE_AS_ARRAY) @JsonProperty("AssociatedAdvice") List associatedAdvice) { - } - - public static record ObligationOrAdvice(@JsonProperty("Id") String id, - @JsonFormat(with = JsonFormat.Feature.ACCEPT_SINGLE_VALUE_AS_ARRAY) @JsonProperty("AttributeAssignment") List attributeAssignment) { - } - - public static record AttributeAssignment(@JsonProperty("AttributeId") String attributeId, @JsonProperty("Value") Object value) { - } - -} diff --git a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/pdp/xacml/XacmlResponseMapper.java b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/pdp/xacml/XacmlResponseMapper.java deleted file mode 100644 index 78e49990b..000000000 --- a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/pdp/xacml/XacmlResponseMapper.java +++ /dev/null @@ -1,66 +0,0 @@ -package no.nav.vedtak.sikkerhet.pdp.xacml; - -import java.util.Collection; -import java.util.List; -import java.util.Optional; - -public final class XacmlResponseMapper { - - private XacmlResponseMapper() { - } - - private static final String POLICY_IDENTIFIER = "no.nav.abac.attributter.adviceorobligation.deny_policy"; - private static final String DENY_ADVICE_IDENTIFIER = "no.nav.abac.advices.reason.deny_reason"; - - public static List getObligations(XacmlResponse response) { - return Optional.ofNullable(response) - .map(XacmlResponse::response) - .orElse(List.of()) - .stream() - .map(r -> Optional.ofNullable(r.obligations()).orElse(List.of())) - .flatMap(Collection::stream) - .toList(); - } - - public static List getAdvice(XacmlResponse response) { - return Optional.ofNullable(response) - .map(XacmlResponse::response) - .orElse(List.of()) - .stream() - .map(r -> Optional.ofNullable(r.associatedAdvice()).orElse(List.of())) - .flatMap(Collection::stream) - .map(XacmlResponseMapper::getAdviceFrom) - .flatMap(Collection::stream) - .toList(); - } - - private static List getAdviceFrom(XacmlResponse.ObligationOrAdvice advice) { - if (!DENY_ADVICE_IDENTIFIER.equals(advice.id())) { - return List.of(); - } - return advice.attributeAssignment().stream().map(XacmlResponseMapper::getAdvicefromObject).flatMap(Optional::stream).toList(); - } - - private static Optional getAdvicefromObject(XacmlResponse.AttributeAssignment attribute) { - var attributeId = attribute.attributeId(); - - if (!POLICY_IDENTIFIER.equals(attributeId)) { - return Optional.empty(); - } - var attributeValue = (String) attribute.value(); - return switch (attributeValue) { - case "fp3_behandle_egen_ansatt" -> Optional.of(Advice.DENY_EGEN_ANSATT); - case "fp2_behandle_kode7" -> Optional.of(Advice.DENY_KODE_7); - case "fp1_behandle_kode6" -> Optional.of(Advice.DENY_KODE_6); - case "skjermede_navansatte_og_familiemedlemmer" -> Optional.of(Advice.DENY_EGEN_ANSATT); - case "adressebeskyttelse_fortrolig_adresse" -> Optional.of(Advice.DENY_KODE_7); - case "adressebeskyttelse_strengt_fortrolig_adresse" -> Optional.of(Advice.DENY_KODE_6); - case "adressebeskyttelse_strengt_fortrolig_adresse_utland" -> Optional.of(Advice.DENY_KODE_6); - default -> Optional.empty(); - }; - } - - public static List getDecisions(XacmlResponse response) { - return response.response().stream().map(XacmlResponse.Result::decision).toList(); - } -} diff --git a/felles/abac/src/test/java/no/nav/vedtak/sikkerhet/abac/AbacAuditLoggerTest.java b/felles/abac/src/test/java/no/nav/vedtak/sikkerhet/abac/AbacAuditLoggerTest.java index c14c123da..cef9a185d 100644 --- a/felles/abac/src/test/java/no/nav/vedtak/sikkerhet/abac/AbacAuditLoggerTest.java +++ b/felles/abac/src/test/java/no/nav/vedtak/sikkerhet/abac/AbacAuditLoggerTest.java @@ -25,7 +25,6 @@ import no.nav.vedtak.sikkerhet.abac.beskyttet.ResourceType; import no.nav.vedtak.sikkerhet.abac.internal.ActionUthenter; import no.nav.vedtak.sikkerhet.abac.internal.BeskyttetRessursAttributter; -import no.nav.vedtak.sikkerhet.abac.internal.BeskyttetRessursInterceptorTest; import no.nav.vedtak.sikkerhet.abac.pdp.AppRessursData; import no.nav.vedtak.sikkerhet.kontekst.IdentType; @@ -121,12 +120,10 @@ private BeskyttetRessursAttributter getBeskyttetRessursAttributter(Method method .medBrukerOid(UUID.randomUUID()) .medIdentType(IdentType.InternBruker) .medAnsattGrupper(Set.of()) - .medToken(Token.withOidcToken(BeskyttetRessursInterceptorTest.DUMMY_OPENID_TOKEN)) .medActionType(beskyttetRessurs.actionType()) .medAvailabilityType(beskyttetRessurs.availabilityType()) .medResourceType(beskyttetRessurs.resourceType()) .medSporingslogg(beskyttetRessurs.sporingslogg()) - .medPepId("local-app") .medServicePath(ActionUthenter.action(RestClass.class, method)) .medDataAttributter(dataAttributter) .build(); diff --git a/felles/abac/src/test/java/no/nav/vedtak/sikkerhet/abac/PepImplTest.java b/felles/abac/src/test/java/no/nav/vedtak/sikkerhet/abac/PepImplTest.java index faaf174aa..d3963a456 100644 --- a/felles/abac/src/test/java/no/nav/vedtak/sikkerhet/abac/PepImplTest.java +++ b/felles/abac/src/test/java/no/nav/vedtak/sikkerhet/abac/PepImplTest.java @@ -22,15 +22,11 @@ import no.nav.vedtak.sikkerhet.abac.beskyttet.AvailabilityType; import no.nav.vedtak.sikkerhet.abac.beskyttet.ResourceType; import no.nav.vedtak.sikkerhet.abac.internal.BeskyttetRessursAttributter; -import no.nav.vedtak.sikkerhet.abac.internal.BeskyttetRessursInterceptorTest; import no.nav.vedtak.sikkerhet.abac.pdp.AppRessursData; import no.nav.vedtak.sikkerhet.abac.policy.Tilgangsvurdering; import no.nav.vedtak.sikkerhet.kontekst.AnsattGruppe; import no.nav.vedtak.sikkerhet.kontekst.IdentType; import no.nav.vedtak.sikkerhet.oidc.config.AzureProperty; -import no.nav.vedtak.sikkerhet.oidc.config.OpenIDProvider; -import no.nav.vedtak.sikkerhet.oidc.token.OpenIDToken; -import no.nav.vedtak.sikkerhet.oidc.token.TokenString; import no.nav.vedtak.sikkerhet.tilgang.AnsattGruppeKlient; import no.nav.vedtak.sikkerhet.tilgang.PopulasjonKlient; @@ -94,9 +90,8 @@ void skal_nekte_tilgang_til_saksbehandler_for_piptjeneste() { @Test void skal_gi_tilgang_for_intern_azure_cc() { - var token = new OpenIDToken(OpenIDProvider.AZUREAD, new TokenString("token")); when(tokenProvider.getUid()).thenReturn(LOCAL_APP); - var attributter = lagBeskyttetRessursAttributterAzure(AvailabilityType.INTERNAL, token, IdentType.Systemressurs); + var attributter = lagBeskyttetRessursAttributterAzure(AvailabilityType.INTERNAL, IdentType.Systemressurs); when(pdpRequestBuilder.lagAppRessursData(any())).thenReturn(AppRessursData.builder().build()); @@ -108,9 +103,8 @@ void skal_gi_tilgang_for_intern_azure_cc() { @Test void skal_gi_avslag_for_ekstern_azure_cc() { - var token = new OpenIDToken(OpenIDProvider.AZUREAD, new TokenString("token")); when(tokenProvider.getUid()).thenReturn("vtp:annetnamespace:ukjentapplication"); - var attributter = lagBeskyttetRessursAttributterAzure(AvailabilityType.INTERNAL, token, + var attributter = lagBeskyttetRessursAttributterAzure(AvailabilityType.INTERNAL, IdentType.Systemressurs); when(pdpRequestBuilder.lagAppRessursData(any())).thenReturn(AppRessursData.builder().build()); @@ -123,9 +117,8 @@ void skal_gi_avslag_for_ekstern_azure_cc() { @Test void skal_gi_avslag_for_godkjent_ekstern_azure_cc_men_i_feil_klusterklasse() { - var token = new OpenIDToken(OpenIDProvider.AZUREAD, new TokenString("token")); when(tokenProvider.getUid()).thenReturn("dev-fss:annetnamespace:eksternapplication"); - var attributter = lagBeskyttetRessursAttributterAzure(AvailabilityType.INTERNAL, token, + var attributter = lagBeskyttetRessursAttributterAzure(AvailabilityType.INTERNAL, IdentType.Systemressurs); when(pdpRequestBuilder.lagAppRessursData(any())).thenReturn(AppRessursData.builder().build()); @@ -139,9 +132,8 @@ void skal_gi_avslag_for_godkjent_ekstern_azure_cc_men_i_feil_klusterklasse() { @Test void skal_gi_tilgang_for_godkjent_ekstern_azure_cc() { - var token = new OpenIDToken(OpenIDProvider.AZUREAD, new TokenString("token")); when(tokenProvider.getUid()).thenReturn("vtp:annetnamespace:eksternapplication"); - var attributter = lagBeskyttetRessursAttributterAzure(AvailabilityType.ALL, token, + var attributter = lagBeskyttetRessursAttributterAzure(AvailabilityType.ALL, IdentType.Systemressurs); when(pdpRequestBuilder.lagAppRessursData(any())).thenReturn(AppRessursData.builder().build()); @@ -172,10 +164,8 @@ private BeskyttetRessursAttributter lagBeskyttetRessursAttributter() { .medBrukerOid(UUID.randomUUID()) .medIdentType(IdentType.InternBruker) .medAnsattGrupper(Set.of(AnsattGruppe.SAKSBEHANDLER)) - .medToken(Token.withOidcToken(BeskyttetRessursInterceptorTest.DUMMY_OPENID_TOKEN)) .medResourceType(ResourceType.FAGSAK) .medActionType(ActionType.READ) - .medPepId("local-app") .medServicePath("/metode") .medDataAttributter(AbacDataAttributter.opprett()) .build(); @@ -185,26 +175,20 @@ private BeskyttetRessursAttributter lagBeskyttetRessursAttributterPip() { return BeskyttetRessursAttributter.builder() .medBrukerId(tokenProvider.getUid()) .medIdentType(IdentType.InternBruker) - .medToken(Token.withOidcToken(BeskyttetRessursInterceptorTest.DUMMY_OPENID_TOKEN)) .medResourceType(ResourceType.PIP) .medActionType(ActionType.READ) - .medPepId("local-app") .medServicePath("/metode") .medDataAttributter(AbacDataAttributter.opprett()) .build(); } - private BeskyttetRessursAttributter lagBeskyttetRessursAttributterAzure(AvailabilityType availabilityType, - OpenIDToken token, - IdentType identType) { + private BeskyttetRessursAttributter lagBeskyttetRessursAttributterAzure(AvailabilityType availabilityType, IdentType identType) { return BeskyttetRessursAttributter.builder() .medBrukerId(tokenProvider.getUid()) .medIdentType(identType) - .medToken(Token.withOidcToken(token)) .medResourceType(ResourceType.FAGSAK) .medActionType(ActionType.READ) .medAvailabilityType(availabilityType) - .medPepId("local-app") .medServicePath("/metode") .medDataAttributter(AbacDataAttributter.opprett()) .build(); diff --git a/felles/abac/src/test/java/no/nav/vedtak/sikkerhet/abac/internal/BeskyttetRessursInterceptorTest.java b/felles/abac/src/test/java/no/nav/vedtak/sikkerhet/abac/internal/BeskyttetRessursInterceptorTest.java index 30a967386..702de1303 100644 --- a/felles/abac/src/test/java/no/nav/vedtak/sikkerhet/abac/internal/BeskyttetRessursInterceptorTest.java +++ b/felles/abac/src/test/java/no/nav/vedtak/sikkerhet/abac/internal/BeskyttetRessursInterceptorTest.java @@ -33,14 +33,10 @@ import no.nav.vedtak.sikkerhet.abac.beskyttet.AvailabilityType; import no.nav.vedtak.sikkerhet.abac.beskyttet.ResourceType; import no.nav.vedtak.sikkerhet.kontekst.IdentType; -import no.nav.vedtak.sikkerhet.oidc.config.OpenIDProvider; -import no.nav.vedtak.sikkerhet.oidc.token.OpenIDToken; -import no.nav.vedtak.sikkerhet.oidc.token.TokenString; @ExtendWith(MockitoExtension.class) -public class BeskyttetRessursInterceptorTest { +class BeskyttetRessursInterceptorTest { - private static final String DUMMY_ID_TOKEN = "eyJraWQiOiI3Mzk2ZGIyZC1hN2MyLTQ1OGEtYjkzNC02ODNiNDgzYzUyNDIiLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdF9oYXNoIjoiRzJ1Zl83OW1TTUhHSWFfNjFxTnJfUSIsInN1YiI6IjA5MDg4NDIwNjcyIiwidmVyIjoiMS4wIiwiaXNzIjoiaHR0cHM6XC9cL3Rva2VuZGluZ3MuZGV2LWdjcC5uYWlzLmlvIiwibm9uY2UiOiJWR1dyS1Zsa3RXZ3hCdTlMZnNnMHliMmdMUVhoOHRaZHRaVTJBdWdPZVl3IiwiY2xpZW50X2lkIjoiZGV2LWZzczp0ZWFtZm9yZWxkcmVwZW5nZXI6ZnBzb2tuYWQtbW90dGFrIiwiYXVkIjoiZGV2LWZzczp0ZWFtZm9yZWxkcmVwZW5nZXI6ZnBpbmZvIiwiYWNyIjoiTGV2ZWw0IiwibmJmIjoxNjE2Njg1NDA0LCJpZHAiOiJodHRwczpcL1wvbmF2dGVzdGIyYy5iMmNsb2dpbi5jb21cL2QzOGYyNWFhLWVhYjgtNGM1MC05ZjI4LWViZjkyYzEyNTZmMlwvdjIuMFwvIiwiYXV0aF90aW1lIjoxNjE2Njg1NDAyLCJleHAiOjE2MTY2ODU3MDQsImlhdCI6MTYxNjY4NTQwNCwianRpIjoiNGMwNzBmMGUtNzI0Ny00ZTdjLWE1OWEtYzk2Yjk0NWMxZWZhIn0.OvzjuabvPHG9nlRVc_KlCUTHOdfeT9GtBkASUGIoMayWGeIBDkr4-jc9gu6uT_WQqi9IJnvPkWgP3veqYHcOHpapD1yVNaQpxlrJQ04yP6N3gvkn-DcrBRDb3II_6qSaPQ_us2PJBDPq2VD5TGrNOL6EFwr8FK3zglYr-PgjW016ULTcmx_7gdHmbiC5PEn1_OtGNxzoUhSGKoD3YtUWP0qdsXzoKyeFL5FG9uZMSrDHHiJBZQFXGL9OzBU49Zb2K-iEPqa9m91O2JZGkhebfLjCAIPLPN4J68GFyfTvtNkZO71znorjo-e1nWxz53Wkj---RDY3JlIqNqzqHTfJgQ"; private final RestClass tjeneste = new RestClass(); private final AktørDto aktør1 = new AktørDto("00000000000"); @@ -48,12 +44,9 @@ public class BeskyttetRessursInterceptorTest { private static final String BRUKER_IDENT = "A000000"; private static final UUID BRUKER_OID = UUID.randomUUID(); - private static final String PEP_ID = "test"; private final ArgumentCaptor braCaptor = ArgumentCaptor.forClass(BeskyttetRessursAttributter.class); - public static final OpenIDToken DUMMY_OPENID_TOKEN = new OpenIDToken(OpenIDProvider.TOKENX, new TokenString(DUMMY_ID_TOKEN)); - @Mock private TokenProvider tokenProvider; @Mock @@ -66,8 +59,6 @@ void mockTokenProvider() { when(tokenProvider.getOid()).thenReturn(BRUKER_OID); when(tokenProvider.getAnsattGrupper()).thenReturn(Set.of()); when(tokenProvider.getIdentType()).thenReturn(IdentType.InternBruker); - when(tokenProvider.openIdToken()).thenReturn(DUMMY_OPENID_TOKEN); - when(pep.pepId()).thenReturn(PEP_ID); } @Test @@ -135,8 +126,6 @@ private void assertBeskyttetRessursAttributter(BeskyttetRessursAttributter bra) assertThat(bra.getActionType()).isEqualTo(ActionType.CREATE); assertThat(bra.getResourceType()).isEqualTo(ResourceType.PIP); assertThat(bra.getAvailabilityType()).isEqualTo(AvailabilityType.INTERNAL); - assertThat(bra.getPepId()).isEqualTo(PEP_ID); - assertThat(bra.getToken().getOpenIDProvider()).isEqualTo(OpenIDProvider.TOKENX); assertThat(bra.getServicePath()).startsWith("/foo"); assertThat(bra.getDataAttributter().keySet()).hasSize(1); } diff --git a/felles/abac/src/test/java/no/nav/vedtak/sikkerhet/abac/policy/EksternBrukerTest.java b/felles/abac/src/test/java/no/nav/vedtak/sikkerhet/abac/policy/EksternBrukerTest.java index 579137b00..0f6e51535 100644 --- a/felles/abac/src/test/java/no/nav/vedtak/sikkerhet/abac/policy/EksternBrukerTest.java +++ b/felles/abac/src/test/java/no/nav/vedtak/sikkerhet/abac/policy/EksternBrukerTest.java @@ -7,11 +7,9 @@ import org.mockito.junit.jupiter.MockitoExtension; import no.nav.vedtak.sikkerhet.abac.AbacDataAttributter; -import no.nav.vedtak.sikkerhet.abac.Token; import no.nav.vedtak.sikkerhet.abac.beskyttet.ActionType; import no.nav.vedtak.sikkerhet.abac.beskyttet.ResourceType; import no.nav.vedtak.sikkerhet.abac.internal.BeskyttetRessursAttributter; -import no.nav.vedtak.sikkerhet.abac.internal.BeskyttetRessursInterceptorTest; import no.nav.vedtak.sikkerhet.abac.pdp.AppRessursData; import no.nav.vedtak.sikkerhet.kontekst.IdentType; @@ -97,10 +95,8 @@ private BeskyttetRessursAttributter lagAttributter(ActionType actionType, Resour return BeskyttetRessursAttributter.builder() .medBrukerId("12345678901") .medIdentType(IdentType.EksternBruker) - .medToken(Token.withOidcToken(BeskyttetRessursInterceptorTest.DUMMY_OPENID_TOKEN)) .medResourceType(resourceType) .medActionType(actionType) - .medPepId("local-app") .medServicePath("/metode") .medDataAttributter(AbacDataAttributter.opprett()) .build(); diff --git a/felles/abac/src/test/java/no/nav/vedtak/sikkerhet/abac/policy/InternBrukerFagsakTest.java b/felles/abac/src/test/java/no/nav/vedtak/sikkerhet/abac/policy/InternBrukerFagsakTest.java index a8821acfa..2c6c1dbb8 100644 --- a/felles/abac/src/test/java/no/nav/vedtak/sikkerhet/abac/policy/InternBrukerFagsakTest.java +++ b/felles/abac/src/test/java/no/nav/vedtak/sikkerhet/abac/policy/InternBrukerFagsakTest.java @@ -10,11 +10,9 @@ import org.mockito.junit.jupiter.MockitoExtension; import no.nav.vedtak.sikkerhet.abac.AbacDataAttributter; -import no.nav.vedtak.sikkerhet.abac.Token; import no.nav.vedtak.sikkerhet.abac.beskyttet.ActionType; import no.nav.vedtak.sikkerhet.abac.beskyttet.ResourceType; import no.nav.vedtak.sikkerhet.abac.internal.BeskyttetRessursAttributter; -import no.nav.vedtak.sikkerhet.abac.internal.BeskyttetRessursInterceptorTest; import no.nav.vedtak.sikkerhet.abac.pdp.AppRessursData; import no.nav.vedtak.sikkerhet.abac.pipdata.PipBehandlingStatus; import no.nav.vedtak.sikkerhet.abac.pipdata.PipFagsakStatus; @@ -232,10 +230,8 @@ private BeskyttetRessursAttributter lagAttributter(AnsattGruppe ansattGruppe, Ac .medBrukerOid(UUID.randomUUID()) .medIdentType(IdentType.InternBruker) .medAnsattGrupper(Set.of(ansattGruppe)) - .medToken(Token.withOidcToken(BeskyttetRessursInterceptorTest.DUMMY_OPENID_TOKEN)) .medResourceType(ResourceType.FAGSAK) .medActionType(actionType) - .medPepId("local-app") .medServicePath("/metode") .medDataAttributter(AbacDataAttributter.opprett()) .build(); diff --git a/felles/abac/src/test/java/no/nav/vedtak/sikkerhet/abac/policy/InternBrukerTest.java b/felles/abac/src/test/java/no/nav/vedtak/sikkerhet/abac/policy/InternBrukerTest.java index f60086256..40ec6a455 100644 --- a/felles/abac/src/test/java/no/nav/vedtak/sikkerhet/abac/policy/InternBrukerTest.java +++ b/felles/abac/src/test/java/no/nav/vedtak/sikkerhet/abac/policy/InternBrukerTest.java @@ -10,11 +10,9 @@ import org.mockito.junit.jupiter.MockitoExtension; import no.nav.vedtak.sikkerhet.abac.AbacDataAttributter; -import no.nav.vedtak.sikkerhet.abac.Token; import no.nav.vedtak.sikkerhet.abac.beskyttet.ActionType; import no.nav.vedtak.sikkerhet.abac.beskyttet.ResourceType; import no.nav.vedtak.sikkerhet.abac.internal.BeskyttetRessursAttributter; -import no.nav.vedtak.sikkerhet.abac.internal.BeskyttetRessursInterceptorTest; import no.nav.vedtak.sikkerhet.abac.pdp.AppRessursData; import no.nav.vedtak.sikkerhet.abac.pdp.ForeldrepengerDataKeys; import no.nav.vedtak.sikkerhet.kontekst.AnsattGruppe; @@ -161,10 +159,8 @@ private BeskyttetRessursAttributter lagAttributter(AnsattGruppe ansattGruppe, Ac .medBrukerOid(UUID.randomUUID()) .medIdentType(IdentType.InternBruker) .medAnsattGrupper(Set.of(ansattGruppe)) - .medToken(Token.withOidcToken(BeskyttetRessursInterceptorTest.DUMMY_OPENID_TOKEN)) .medResourceType(resourceType) .medActionType(actionType) - .medPepId("local-app") .medServicePath("/metode") .medDataAttributter(AbacDataAttributter.opprett()) .build(); diff --git a/felles/abac/src/test/java/no/nav/vedtak/sikkerhet/abac/policy/SystemressursTest.java b/felles/abac/src/test/java/no/nav/vedtak/sikkerhet/abac/policy/SystemressursTest.java index ed13338e3..2d8c88d72 100644 --- a/felles/abac/src/test/java/no/nav/vedtak/sikkerhet/abac/policy/SystemressursTest.java +++ b/felles/abac/src/test/java/no/nav/vedtak/sikkerhet/abac/policy/SystemressursTest.java @@ -10,12 +10,10 @@ import no.nav.foreldrepenger.konfig.Namespace; import no.nav.vedtak.sikkerhet.abac.AbacDataAttributter; -import no.nav.vedtak.sikkerhet.abac.Token; import no.nav.vedtak.sikkerhet.abac.beskyttet.ActionType; import no.nav.vedtak.sikkerhet.abac.beskyttet.AvailabilityType; import no.nav.vedtak.sikkerhet.abac.beskyttet.ResourceType; import no.nav.vedtak.sikkerhet.abac.internal.BeskyttetRessursAttributter; -import no.nav.vedtak.sikkerhet.abac.internal.BeskyttetRessursInterceptorTest; import no.nav.vedtak.sikkerhet.abac.pdp.AppRessursData; import no.nav.vedtak.sikkerhet.abac.pipdata.PipBehandlingStatus; import no.nav.vedtak.sikkerhet.kontekst.IdentType; @@ -92,10 +90,8 @@ private BeskyttetRessursAttributter lagBeskyttetRessursAttributter() { return BeskyttetRessursAttributter.builder() .medBrukerId(LOCAL_APP) .medIdentType(IdentType.Systemressurs) - .medToken(Token.withOidcToken(BeskyttetRessursInterceptorTest.DUMMY_OPENID_TOKEN)) .medResourceType(ResourceType.FAGSAK) .medActionType(ActionType.UPDATE) - .medPepId("local-app") .medServicePath("/metode") .medDataAttributter(AbacDataAttributter.opprett()) .build(); @@ -105,11 +101,9 @@ private BeskyttetRessursAttributter lagBeskyttetRessursAttributterAzure(Availabi return BeskyttetRessursAttributter.builder() .medBrukerId(brukerId) .medIdentType(IdentType.Systemressurs) - .medToken(Token.withOidcToken(BeskyttetRessursInterceptorTest.DUMMY_OPENID_TOKEN)) .medResourceType(ResourceType.APPLIKASJON) .medActionType(ActionType.READ) .medAvailabilityType(availabilityType) - .medPepId("local-app") .medServicePath("/metode") .medDataAttributter(AbacDataAttributter.opprett()) .build(); diff --git a/felles/abac/src/test/java/no/nav/vedtak/sikkerhet/pdp/PdpKlientImplTest.java b/felles/abac/src/test/java/no/nav/vedtak/sikkerhet/pdp/PdpKlientImplTest.java deleted file mode 100644 index 28dc17aae..000000000 --- a/felles/abac/src/test/java/no/nav/vedtak/sikkerhet/pdp/PdpKlientImplTest.java +++ /dev/null @@ -1,302 +0,0 @@ -package no.nav.vedtak.sikkerhet.pdp; - -import static org.assertj.core.api.Assertions.assertThat; -import static org.mockito.ArgumentMatchers.any; -import static org.mockito.Mockito.mock; -import static org.mockito.Mockito.when; - -import java.io.File; -import java.io.IOException; -import java.util.ArrayList; -import java.util.Collection; -import java.util.HashSet; -import java.util.LinkedHashSet; -import java.util.List; -import java.util.Set; - -import org.junit.jupiter.api.BeforeEach; -import org.junit.jupiter.api.Disabled; -import org.junit.jupiter.api.Test; -import org.mockito.ArgumentCaptor; - -import no.nav.vedtak.exception.VLException; -import no.nav.vedtak.mapper.json.DefaultJsonMapper; -import no.nav.vedtak.sikkerhet.abac.AbacDataAttributter; -import no.nav.vedtak.sikkerhet.abac.AbacResultat; -import no.nav.vedtak.sikkerhet.abac.PdpKlient; -import no.nav.vedtak.sikkerhet.abac.Token; -import no.nav.vedtak.sikkerhet.abac.beskyttet.ActionType; -import no.nav.vedtak.sikkerhet.abac.beskyttet.ResourceType; -import no.nav.vedtak.sikkerhet.abac.internal.BeskyttetRessursAttributter; -import no.nav.vedtak.sikkerhet.abac.pdp.AppRessursData; -import no.nav.vedtak.sikkerhet.abac.pipdata.PipBehandlingStatus; -import no.nav.vedtak.sikkerhet.kontekst.IdentType; -import no.nav.vedtak.sikkerhet.oidc.config.OpenIDProvider; -import no.nav.vedtak.sikkerhet.oidc.token.OpenIDToken; -import no.nav.vedtak.sikkerhet.oidc.token.TokenString; -import no.nav.vedtak.sikkerhet.pdp.xacml.Category; -import no.nav.vedtak.sikkerhet.pdp.xacml.NavFellesAttributter; -import no.nav.vedtak.sikkerhet.pdp.xacml.XacmlRequest; -import no.nav.vedtak.sikkerhet.pdp.xacml.XacmlResponse; - -class PdpKlientImplTest { - - private static final String JWT_TOKENSTRING = "eyAidHlwIjogIkpXVCIsICJraWQiOiAiU0gxSWVSU2sxT1VGSDNzd1orRXVVcTE5VHZRPSIsICJhbGciOiAiUlMyNTYiIH0.eyAiYXRfaGFzaCI6ICIyb2c1RGk5ZW9LeFhOa3VPd0dvVUdBIiwgInN1YiI6ICJzMTQyNDQzIiwgImF1ZGl0VHJhY2tpbmdJZCI6ICI1NTM0ZmQ4ZS03MmE2LTRhMWQtOWU5YS1iZmEzYThhMTljMDUtNjE2NjA2NyIsICJpc3MiOiAiaHR0cHM6Ly9pc3NvLXQuYWRlby5ubzo0NDMvaXNzby9vYXV0aDIiLCAidG9rZW5OYW1lIjogImlkX3Rva2VuIiwgImF1ZCI6ICJPSURDIiwgImNfaGFzaCI6ICJiVWYzcU5CN3dTdi0wVlN0bjhXLURnIiwgIm9yZy5mb3JnZXJvY2sub3BlbmlkY29ubmVjdC5vcHMiOiAiMTdhOGZiMzYtMGI0Ny00YzRkLWE4YWYtZWM4Nzc3Y2MyZmIyIiwgImF6cCI6ICJPSURDIiwgImF1dGhfdGltZSI6IDE0OTgwMzk5MTQsICJyZWFsbSI6ICIvIiwgImV4cCI6IDE0OTgwNDM1MTUsICJ0b2tlblR5cGUiOiAiSldUVG9rZW4iLCAiaWF0IjogMTQ5ODAzOTkxNSB9.S2DKQweQWZIfjaAT2UP9_dxrK5zqpXj8IgtjDLt5PVfLYfZqpWGaX-ckXG0GlztDVBlRK4ylmIYacTmEAUV_bRa_qWKRNxF83SlQRgHDSiE82SGv5WHOGEcAxf2w_d50XsgA2KDBCyv0bFIp9bCiKzP11uWPW0v4uIkyw2xVxMVPMCuiMUtYFh80sMDf9T4FuQcFd0LxoYcSFDEDlwCdRiF3ufw73qtMYBlNIMbTGHx-DZWkZV7CgukmCee79gwQIvGwdLrgaDrHFCJUDCbB1FFEaE3p3_BZbj0T54fCvL69aHyWm1zEd9Pys15yZdSh3oSSr4yVNIxhoF-nQ7gY-g;"; - public static final OpenIDToken JWT_TOKEN = new OpenIDToken(OpenIDProvider.AZUREAD, new TokenString(JWT_TOKENSTRING)); - public static final OpenIDToken JWT_TOKENX_TOKEN = new OpenIDToken(OpenIDProvider.TOKENX, new TokenString(JWT_TOKENSTRING)); - private static final String DOMENE = "foreldrepenger"; - - private PdpKlient pdpKlient; - private PdpConsumer pdpConsumerMock; - - @BeforeEach - public void setUp() { - pdpConsumerMock = mock(PdpConsumer.class); - pdpKlient = new PdpKlientImpl(pdpConsumerMock); - } - - @Test - void kallPdpUtenFnrResourceHvisPersonlisteErTom() { - var idToken = Token.withOidcToken(JWT_TOKEN); - var responseWrapper = createResponse("xacmlresponse.json"); - var captor = ArgumentCaptor.forClass(XacmlRequest.class); - - when(pdpConsumerMock.evaluate(captor.capture())).thenReturn(responseWrapper); - - var felles = lagBeskyttetRessursAttributter(idToken, AbacDataAttributter.opprett()); - var ressurs = AppRessursData.builder().build(); - pdpKlient.forespørTilgang(felles, DOMENE, ressurs); - - assertThat(captor.getValue().toString()).doesNotContain(NavFellesAttributter.RESOURCE_FELLES_PERSON_FNR); - } - - @Test - void kallPdpMedJwtTokenBodyNårIdTokenErJwtToken() { - var idToken = Token.withOidcToken(JWT_TOKEN); - var responseWrapper = createResponse("xacmlresponse.json"); - var captor = ArgumentCaptor.forClass(XacmlRequest.class); - - when(pdpConsumerMock.evaluate(captor.capture())).thenReturn(responseWrapper); - - var felles = lagBeskyttetRessursAttributter(idToken, AbacDataAttributter.opprett()); - var ressurs = AppRessursData.builder().leggTilFødselsnummer("12345678900").build(); - pdpKlient.forespørTilgang(felles, DOMENE, ressurs); - - assertThat(captor.getValue().toString()).contains(NavFellesAttributter.ENVIRONMENT_FELLES_OIDC_TOKEN_BODY); - } - - @Test - void kallPdpMedJwtTokenBodyNårIdTokenErTokeXToken() { - var idToken = Token.withOidcToken(JWT_TOKENX_TOKEN); - var responseWrapper = createResponse("xacmlresponse.json"); - var captor = ArgumentCaptor.forClass(XacmlRequest.class); - - when(pdpConsumerMock.evaluate(captor.capture())).thenReturn(responseWrapper); - - var felles = lagBeskyttetRessursAttributter(idToken, AbacDataAttributter.opprett()); - var ressurs = AppRessursData.builder().leggTilFødselsnummer("12345678900").build(); - pdpKlient.forespørTilgang(felles, DOMENE, ressurs); - - assertThat(captor.getValue().toString()).contains(NavFellesAttributter.ENVIRONMENT_FELLES_TOKENX_TOKEN_BODY); - } - - @Test - void kallPdpMedFlereAttributtSettNårPersonlisteStørreEnn1() { - var idToken = Token.withOidcToken(JWT_TOKEN); - var responseWrapper = createResponse("xacml3response.json"); - var captor = ArgumentCaptor.forClass(XacmlRequest.class); - - when(pdpConsumerMock.evaluate(captor.capture())).thenReturn(responseWrapper); - Set personnr = new HashSet<>(); - personnr.add("12345678900"); - personnr.add("00987654321"); - personnr.add("15151515151"); - - var felles = lagBeskyttetRessursAttributter(idToken, AbacDataAttributter.opprett()); - var ressurs = AppRessursData.builder().leggTilFødselsnumre(personnr).build(); - pdpKlient.forespørTilgang(felles, DOMENE, ressurs); - - String xacmlRequestString = captor.getValue().toString(); - - assertThat(xacmlRequestString.contains("12345678900")).isTrue(); - assertThat(xacmlRequestString.contains("00987654321")).isTrue(); - assertThat(xacmlRequestString.contains("15151515151")).isTrue(); - } - - @Test - void kallPdpMedFlereAttributtSettNårPersonlisteStørreEnn2() { - var idToken = Token.withOidcToken(JWT_TOKEN); - var responseWrapper = createResponse("xacmlresponse-array.json"); - var captor = ArgumentCaptor.forClass(XacmlRequest.class); - - when(pdpConsumerMock.evaluate(captor.capture())).thenReturn(responseWrapper); - Set personnr = new HashSet<>(); - personnr.add("12345678900"); - personnr.add("00987654321"); - personnr.add("15151515151"); - - var felles = lagBeskyttetRessursAttributter(idToken, AbacDataAttributter.opprett()); - var ressurs = AppRessursData.builder().leggTilFødselsnumre(personnr).build(); - pdpKlient.forespørTilgang(felles, DOMENE, ressurs); - - String xacmlRequestString = captor.getValue().toString(); - - assertThat(xacmlRequestString.contains("12345678900")).isTrue(); - assertThat(xacmlRequestString.contains("00987654321")).isTrue(); - assertThat(xacmlRequestString.contains("15151515151")).isTrue(); - } - - @Test - void sporingsloggListeSkalHaSammeRekkefølgePåidenterSomXacmlRequest() { - var idToken = Token.withOidcToken(JWT_TOKEN); - var responseWrapper = createResponse("xacml3response.json"); - var captor = ArgumentCaptor.forClass(XacmlRequest.class); - - when(pdpConsumerMock.evaluate(captor.capture())).thenReturn(responseWrapper); - Set personnr = new LinkedHashSet<>(); - personnr.add("12345678900"); - personnr.add("00987654321"); - personnr.add("15151515151"); - - var felles = lagBeskyttetRessursAttributter(idToken, AbacDataAttributter.opprett()); - var ressurs = AppRessursData.builder().leggTilFødselsnumre(personnr).medBehandlingStatus(PipBehandlingStatus.UTREDES).build(); - pdpKlient.forespørTilgang(felles, DOMENE, ressurs); - - var xacmlRequest = captor.getValue(); - var resourceArray = xacmlRequest.request().get(Category.Resource); - var personArray = resourceArray.stream() - .map(XacmlRequest.Attributes::attribute) - .flatMap(Collection::stream) - .filter(a -> NavFellesAttributter.RESOURCE_FELLES_PERSON_FNR.equals(a.attributeId())) - .toList(); - - var personer = new ArrayList<>(ressurs.getFødselsnumre()); - - for (int i = 0; i < personer.size(); i++) { - assertThat(personArray.get(i).value().toString()).contains(personer.get(i)); - } - } - - @Test - void skal_bare_ta_med_deny_advice() { - var idToken = Token.withOidcToken(JWT_TOKENX_TOKEN); - var responseWrapper = createResponse("xacmlresponse_1deny_1permit.json"); - - var captor = ArgumentCaptor.forClass(XacmlRequest.class); - - when(pdpConsumerMock.evaluate(captor.capture())).thenReturn(responseWrapper); - Set personnr = new HashSet<>(); - personnr.add("12345678900"); - personnr.add("07078515206"); - - var felles = lagBeskyttetRessursAttributter(idToken, AbacDataAttributter.opprett(), IdentType.EksternBruker); - var ressurs = AppRessursData.builder().leggTilFødselsnumre(personnr).build(); - var resultat = pdpKlient.forespørTilgang(felles, DOMENE, ressurs); - - assertThat(resultat.beslutningKode()).isEqualTo(AbacResultat.AVSLÅTT_EGEN_ANSATT); - } - - private void assertHasAttribute(List attributes, String attributeName, String expectedValue) { - int jsize = attributes.size(); - for (int j = 0; j < jsize; j++) { - int size = attributes.get(j).attribute().size(); - for (int i = 0; i < size; i++) { - var obj = attributes.get(j).attribute().get(i); - if (obj.attributeId().equals(attributeName) && obj.value().toString().equals(expectedValue)) { - return; - } - } - } - throw new AssertionError("Fant ikke " + attributeName + "=" + expectedValue + " i " + attributes); - } - - @Test - void skalFeileVedUkjentObligation() { - var idToken = Token.withOidcToken(new OpenIDToken(OpenIDProvider.TOKENX, new TokenString("OIDC"))); - var responseWrapper = createResponse("xacmlresponse_multiple_obligation.json"); - - when(pdpConsumerMock.evaluate(any(XacmlRequest.class))).thenReturn(responseWrapper); - String feilKode = ""; - try { - var felles = lagBeskyttetRessursAttributter(idToken, AbacDataAttributter.opprett()); - var ressurs = AppRessursData.builder().leggTilFødselsnumre(Set.of("12345678900")).build(); - pdpKlient.forespørTilgang(felles, DOMENE, ressurs); - } catch (VLException e) { - feilKode = e.getKode(); - } - assertThat(feilKode).isEqualTo("F-026969"); - } - - @Test - void skal_håndtere_blanding_av_fnr_og_aktør_id() { - - var idToken = Token.withOidcToken(JWT_TOKEN); - var responseWrapper = createResponse("xacml3response.json"); - var captor = ArgumentCaptor.forClass(XacmlRequest.class); - - when(pdpConsumerMock.evaluate(captor.capture())).thenReturn(responseWrapper); - Set personnr = new HashSet<>(); - personnr.add("12345678900"); - Set aktørId = new HashSet<>(); - aktørId.add("11111"); - aktørId.add("22222"); - - var felles = lagBeskyttetRessursAttributter(idToken, AbacDataAttributter.opprett()); - var ressurs = AppRessursData.builder().leggTilFødselsnumre(personnr).leggTilAktørIdSet(aktørId).build(); - pdpKlient.forespørTilgang(felles, DOMENE, ressurs); - - var xacmlRequestString = DefaultJsonMapper.toJson(captor.getValue()); - - assertThat(xacmlRequestString).contains( - "{\"AttributeId\":\"no.nav.abac.attributter.resource.felles.person.fnr\",\"Value\":\"12345678900\"}", - "{\"AttributeId\":\"no.nav.abac.attributter.resource.felles.person.aktoerId_resource\",\"Value\":\"11111\"}", - "{\"AttributeId\":\"no.nav.abac.attributter.resource.felles.person.aktoerId_resource\",\"Value\":\"22222\"}"); - } - - private BeskyttetRessursAttributter lagBeskyttetRessursAttributter(Token token, AbacDataAttributter dataAttributter) { - return lagBeskyttetRessursAttributter(token, dataAttributter, IdentType.InternBruker); - } - - private BeskyttetRessursAttributter lagBeskyttetRessursAttributter(Token token, - AbacDataAttributter dataAttributter, - IdentType identType) { - return BeskyttetRessursAttributter.builder() - .medBrukerId("IDENT") - .medIdentType(identType) - .medToken(token) - .medResourceType(ResourceType.FAGSAK) - .medActionType(ActionType.READ) - .medPepId("local-app") - .medServicePath("/metode") - .medDataAttributter(dataAttributter) - .build(); - } - - @SuppressWarnings("resource") - private XacmlResponse createResponse(String jsonFile) { - File file = new File(getClass().getClassLoader().getResource(jsonFile).getFile()); - try { - return DefaultJsonMapper.getObjectMapper().readValue(file, XacmlResponse.class); - } catch (Exception e) { - // - } - return null; - } - - @Test - @Disabled // FLYTT TIL FPTIL - void lese_sammenligne_request() throws IOException { - File file = new File(getClass().getClassLoader().getResource("request.json").getFile()); - var target = DefaultJsonMapper.getObjectMapper().readValue(file, XacmlRequest.class); - - var felles = lagBeskyttetRessursAttributter(Token.withOidcToken(JWT_TOKEN), AbacDataAttributter.opprett()); - var ressurs = AppRessursData.builder().leggTilAktørId("11111").leggTilFødselsnummer("12345678900").build(); - var request = XacmlRequestMapper.lagXacmlRequest(felles, DOMENE, ressurs); - - assertThat(request.request().get(Category.Action)).isEqualTo(target.request().get(Category.Action)); - assertThat(request.request().get(Category.Environment)).isEqualTo(target.request().get(Category.Environment)); - assertThat(request.request().get(Category.Resource)).isEqualTo(target.request().get(Category.Resource)); - - } - -} diff --git a/felles/abac/src/test/resources/request.json b/felles/abac/src/test/resources/request.json deleted file mode 100644 index fcca93c8e..000000000 --- a/felles/abac/src/test/resources/request.json +++ /dev/null @@ -1,58 +0,0 @@ -{ - "Request": { - "Action": { - "Attribute": [ - { - "AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id", - "Value": "read" - } - ] - }, - "Environment": { - "Attribute": [ - { - "AttributeId": "no.nav.abac.attributter.environment.felles.pep_id", - "Value": "local-app" - }, - { - "AttributeId": "no.nav.abac.attributter.environment.felles.oidc_token_body", - "Value": "eyAiYXRfaGFzaCI6ICIyb2c1RGk5ZW9LeFhOa3VPd0dvVUdBIiwgInN1YiI6ICJzMTQyNDQzIiwgImF1ZGl0VHJhY2tpbmdJZCI6ICI1NTM0ZmQ4ZS03MmE2LTRhMWQtOWU5YS1iZmEzYThhMTljMDUtNjE2NjA2NyIsICJpc3MiOiAiaHR0cHM6Ly9pc3NvLXQuYWRlby5ubzo0NDMvaXNzby9vYXV0aDIiLCAidG9rZW5OYW1lIjogImlkX3Rva2VuIiwgImF1ZCI6ICJPSURDIiwgImNfaGFzaCI6ICJiVWYzcU5CN3dTdi0wVlN0bjhXLURnIiwgIm9yZy5mb3JnZXJvY2sub3BlbmlkY29ubmVjdC5vcHMiOiAiMTdhOGZiMzYtMGI0Ny00YzRkLWE4YWYtZWM4Nzc3Y2MyZmIyIiwgImF6cCI6ICJPSURDIiwgImF1dGhfdGltZSI6IDE0OTgwMzk5MTQsICJyZWFsbSI6ICIvIiwgImV4cCI6IDE0OTgwNDM1MTUsICJ0b2tlblR5cGUiOiAiSldUVG9rZW4iLCAiaWF0IjogMTQ5ODAzOTkxNSB9" - } - ] - }, - "Resource": [ - { - "Attribute": [ - { - "AttributeId": "no.nav.abac.attributter.resource.felles.domene", - "Value": "foreldrepenger" - }, - { - "AttributeId": "no.nav.abac.attributter.resource.felles.resource_type", - "Value": "no.nav.abac.attributter.foreldrepenger.fagsak" - }, - { - "AttributeId": "no.nav.abac.attributter.resource.felles.person.aktoerId_resource", - "Value": "11111" - } - ] - }, - { - "Attribute": [ - { - "AttributeId": "no.nav.abac.attributter.resource.felles.domene", - "Value": "foreldrepenger" - }, - { - "AttributeId": "no.nav.abac.attributter.resource.felles.resource_type", - "Value": "no.nav.abac.attributter.foreldrepenger.fagsak" - }, - { - "AttributeId": "no.nav.abac.attributter.resource.felles.person.fnr", - "Value": "12345678900" - } - ] - } - ] - } -} diff --git a/felles/abac/src/test/resources/request1.json b/felles/abac/src/test/resources/request1.json deleted file mode 100644 index ecb76b026..000000000 --- a/felles/abac/src/test/resources/request1.json +++ /dev/null @@ -1,74 +0,0 @@ -{ - "Request": { - "Action": { - "Attribute": [ - { - "AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id", - "Value": "read" - } - ] - }, - "Environment": { - "Attribute": [ - { - "AttributeId": "no.nav.abac.attributter.environment.felles.pep_id", - "Value": "local-app" - }, - { - "AttributeId": "no.nav.abac.attributter.environment.felles.oidc_token_body", - "Value": "eyAiYXRfaGFzaCI6ICIyb2c1RGk5ZW9LeFhOa3VPd0dvVUdBIiwgInN1YiI6ICJzMTQyNDQzIiwgImF1ZGl0VHJhY2tpbmdJZCI6ICI1NTM0ZmQ4ZS03MmE2LTRhMWQtOWU5YS1iZmEzYThhMTljMDUtNjE2NjA2NyIsICJpc3MiOiAiaHR0cHM6Ly9pc3NvLXQuYWRlby5ubzo0NDMvaXNzby9vYXV0aDIiLCAidG9rZW5OYW1lIjogImlkX3Rva2VuIiwgImF1ZCI6ICJPSURDIiwgImNfaGFzaCI6ICJiVWYzcU5CN3dTdi0wVlN0bjhXLURnIiwgIm9yZy5mb3JnZXJvY2sub3BlbmlkY29ubmVjdC5vcHMiOiAiMTdhOGZiMzYtMGI0Ny00YzRkLWE4YWYtZWM4Nzc3Y2MyZmIyIiwgImF6cCI6ICJPSURDIiwgImF1dGhfdGltZSI6IDE0OTgwMzk5MTQsICJyZWFsbSI6ICIvIiwgImV4cCI6IDE0OTgwNDM1MTUsICJ0b2tlblR5cGUiOiAiSldUVG9rZW4iLCAiaWF0IjogMTQ5ODAzOTkxNSB9" - } - ] - }, - "Resource": [ - { - "Attribute": [ - { - "AttributeId": "no.nav.abac.attributter.resource.felles.domene", - "Value": "foreldrepenger" - }, - { - "AttributeId": "no.nav.abac.attributter.resource.felles.resource_type", - "Value": "no.nav.abac.attributter.foreldrepenger.fagsak" - }, - { - "AttributeId": "no.nav.abac.attributter.resource.felles.person.aktoerId_resource", - "Value": "11111" - } - ] - }, - { - "Attribute": [ - { - "AttributeId": "no.nav.abac.attributter.resource.felles.domene", - "Value": "foreldrepenger" - }, - { - "AttributeId": "no.nav.abac.attributter.resource.felles.resource_type", - "Value": "no.nav.abac.attributter.foreldrepenger.fagsak" - }, - { - "AttributeId": "no.nav.abac.attributter.resource.felles.person.fnr", - "Value": "12345678900" - } - ] - } - ], - "AccessSubject": { - "Attribute": [ - { - "AttributeId": "urn:oasis:names:tc:xacml:1.0:subject:subject-id", - "Value": "Z991241" - }, - { - "AttributeId": "no.nav.abac.attributter.subject.felles.subjectType", - "Value": "EksternBruker" - }, - { - "AttributeId": "no.nav.abac.attributter.subject.felles.authenticationLevel", - "Value": 4 - } - ] - } - } -} diff --git a/felles/abac/src/test/resources/xacml3response.json b/felles/abac/src/test/resources/xacml3response.json deleted file mode 100644 index bd7ed00a4..000000000 --- a/felles/abac/src/test/resources/xacml3response.json +++ /dev/null @@ -1,64 +0,0 @@ -{ - "Response": [ - { - "Decision": "Deny", - "Status": { - "StatusCode": { - "Value": "urn:oasis:names:tc:xacml:1.0:status:ok", - "StatusCode": { - "Value": "urn:oasis:names:tc:xacml:1.0:status:ok" - } - } - }, - "AssociatedAdvice": [{ - "Id": "no.nav.abac.advices.deny.reason", - "AttributeAssignment": [{ - "AttributeId": "no.nav.abac.advice.fritekst", - "Value": "Ikke tilgang", - "Category": "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject", - "DataType": "http://www.w3.org/2001/XMLSchema#string" - }] - }] - }, - { - "Decision": "Deny", - "Status": { - "StatusCode": { - "Value": "urn:oasis:names:tc:xacml:1.0:status:ok", - "StatusCode": { - "Value": "urn:oasis:names:tc:xacml:1.0:status:ok" - } - } - }, - "AssociatedAdvice": [{ - "Id": "no.nav.abac.advices.deny.reason", - "AttributeAssignment": [{ - "AttributeId": "no.nav.abac.advice.fritekst", - "Value": "Ikke tilgang", - "Category": "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject", - "DataType": "http://www.w3.org/2001/XMLSchema#string" - }] - }] - }, - { - "Decision": "Deny", - "Status": { - "StatusCode": { - "Value": "urn:oasis:names:tc:xacml:1.0:status:ok", - "StatusCode": { - "Value": "urn:oasis:names:tc:xacml:1.0:status:ok" - } - } - }, - "AssociatedAdvice": [{ - "Id": "no.nav.abac.advices.deny.reason", - "AttributeAssignment": [{ - "AttributeId": "no.nav.abac.advice.fritekst", - "Value": "Ikke tilgang", - "Category": "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject", - "DataType": "http://www.w3.org/2001/XMLSchema#string" - }] - }] - } - ] -} diff --git a/felles/abac/src/test/resources/xacmlresponse-array.json b/felles/abac/src/test/resources/xacmlresponse-array.json deleted file mode 100644 index 066b235e6..000000000 --- a/felles/abac/src/test/resources/xacmlresponse-array.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "Response": [{ - "Decision": "Deny", - "Status": { - "StatusCode": { - "Value": "urn:oasis:names:tc:xacml:1.0:status:ok", - "StatusCode": { - "Value": "urn:oasis:names:tc:xacml:1.0:status:ok" - } - } - }, - "AssociatedAdvice": [ - { - "Id": "no.nav.abac.advices.deny.reason", - "AttributeAssignment": [{ - "AttributeId": "no.nav.abac.advice.fritekst", - "Value": "Ikke tilgang", - "Category": "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject", - "DataType": "http://www.w3.org/2001/XMLSchema#string" - }] - }, - { - "Id": "no.nav.abac.advices.deny.reason", - "AttributeAssignment": [{ - "AttributeId": "no.nav.abac.advice.fritekst", - "Value": "Ikke tilgang", - "Category": "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject", - "DataType": "http://www.w3.org/2001/XMLSchema#string" - }] - } - ] - }] -} diff --git a/felles/abac/src/test/resources/xacmlresponse.json b/felles/abac/src/test/resources/xacmlresponse.json deleted file mode 100644 index 966921f99..000000000 --- a/felles/abac/src/test/resources/xacmlresponse.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "Response": [ - { - "Decision": "Deny", - "AssociatedAdvice": [ - { - "Id": "no.nav.abac.advices.deny.reason", - "AttributeAssignment": [ - { - "AttributeId": "no.nav.abac.advice.fritekst", - "Value": "Ikke tilgang", - "Category": "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject", - "DataType": "http://www.w3.org/2001/XMLSchema#string" - } - ] - } - ] - } - ] -} diff --git a/felles/abac/src/test/resources/xacmlresponse_1deny_1permit.json b/felles/abac/src/test/resources/xacmlresponse_1deny_1permit.json deleted file mode 100644 index 68d917c3d..000000000 --- a/felles/abac/src/test/resources/xacmlresponse_1deny_1permit.json +++ /dev/null @@ -1,60 +0,0 @@ -{ - "Response": [ - { - "Decision": "Deny", - "Status": { - "StatusCode": { - "Value": "urn:oasis:names:tc:xacml:1.0:status:ok", - "StatusCode": { - "Value": "urn:oasis:names:tc:xacml:1.0:status:ok" - } - } - }, - "AssociatedAdvice": [{ - "Id": "no.nav.abac.advices.reason.deny_reason", - "AttributeAssignment": [ - { - "AttributeId": "no.nav.abac.attributter.adviceorobligation.cause", - "Value": "cause-0001-manglerrolle", - "Category": "urn:oasis:names:tc:xacml:3.0:attribute-category:environment", - "DataType": "http://www.w3.org/2001/XMLSchema#string" - }, - { - "AttributeId": "no.nav.abac.attributter.adviceorobligation.deny_policy", - "Value": "fp3_behandle_egen_ansatt", - "Category": "urn:oasis:names:tc:xacml:3.0:attribute-category:environment", - "DataType": "http://www.w3.org/2001/XMLSchema#string" - }, - { - "AttributeId": "no.nav.abac.attributter.adviceorobligation.deny_rule", - "Value": "intern_behandle_egen_ansatt_feilgruppetilgang", - "Category": "urn:oasis:names:tc:xacml:3.0:attribute-category:environment", - "DataType": "http://www.w3.org/2001/XMLSchema#string" - } - ] - }] - }, - { - "Decision": "Permit", - "Status": { - "StatusCode": { - "Value": "urn:oasis:names:tc:xacml:1.0:status:ok", - "StatusCode": { - "Value": "urn:oasis:names:tc:xacml:1.0:status:ok" - } - } - }, - "AssociatedAdvice": [{ - "Id": "no.nav.abac.advices.action.sporbarhetslogg", - "AttributeAssignment": [ - { - "AttributeId": "no.nav.abac.attributter.adviceorobligation.fritekst", - "Value": "alt ok", - "Category": "urn:oasis:names:tc:xacml:3.0:attribute-category:environment", - "DataType": "http://www.w3.org/2001/XMLSchema#string" - } - ] - }] - } - ] -} diff --git a/felles/abac/src/test/resources/xacmlresponse_multiple_obligation.json b/felles/abac/src/test/resources/xacmlresponse_multiple_obligation.json deleted file mode 100644 index 1e33d0220..000000000 --- a/felles/abac/src/test/resources/xacmlresponse_multiple_obligation.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "Response": [ - { - "Decision": "Permit", - "Status": { - "StatusCode": { - "Value": "urn:oasis:names:tc:xacml:1.0:status:ok", - "StatusCode": { - "Value": "urn:oasis:names:tc:xacml:1.0:status:ok" - } - } - }, - "Obligations": [ - { - "Id": "no.nav.abac.obligation.action.log", - "AttributeAssignment": [ - { - "AttributeId": "no.nav.abac.advice.fritekst", - "Value": "Mangler konsument (consumerId)", - "Category": "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject", - "DataType": "http://www.w3.org/2001/XMLSchema#string" - } - ] - }, - { - "Id": "no.nav.abac.obligation.action.auditlog", - "AttributeAssignment": [{ - "AttributeId": "no.nav.abac.advice.fritekst", - "Value": "Mangler autentiseringsNivaa (authenticationLevel)", - "Category": "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject", - "DataType": "http://www.w3.org/2001/XMLSchema#string" - }] - } - ] - } - ] -} diff --git a/felles/kontekst/src/main/java/no/nav/vedtak/sikkerhet/kontekst/Systembruker.java b/felles/kontekst/src/main/java/no/nav/vedtak/sikkerhet/kontekst/Systembruker.java deleted file mode 100644 index a05f38c28..000000000 --- a/felles/kontekst/src/main/java/no/nav/vedtak/sikkerhet/kontekst/Systembruker.java +++ /dev/null @@ -1,25 +0,0 @@ -package no.nav.vedtak.sikkerhet.kontekst; - -import no.nav.foreldrepenger.konfig.Environment; - -/** - * Brukes enn så lenge ifm Abac, STS-tokens, OnPrem-Kafka og WS-kall. Utledning av identtype ved intern STS - * På sikt vil vi bruke verdier fra Nais (appname, clientId) - */ -public class Systembruker { - - private static final Environment ENV = Environment.current(); - private static final String SYSTEMBRUKER_USERNAME = ENV.getProperty("systembruker.username"); - private static final String SYSTEMBRUKER_PASSWORD = ENV.getProperty("systembruker.password"); - - private Systembruker() { - } - - public static String username() { - return SYSTEMBRUKER_USERNAME; - } - - public static String password() { - return SYSTEMBRUKER_PASSWORD; - } -}