diff --git a/felles/auth-filter/src/test/java/no/nav/vedtak/sikkerhet/jaxrs/AuthenticationFilterDelegateTest.java b/felles/auth-filter/src/test/java/no/nav/vedtak/sikkerhet/jaxrs/AuthenticationFilterDelegateTest.java index 8b1776b9a..7fb3fc7c2 100644 --- a/felles/auth-filter/src/test/java/no/nav/vedtak/sikkerhet/jaxrs/AuthenticationFilterDelegateTest.java +++ b/felles/auth-filter/src/test/java/no/nav/vedtak/sikkerhet/jaxrs/AuthenticationFilterDelegateTest.java @@ -5,6 +5,7 @@ import static org.mockito.Mockito.when; import java.lang.reflect.Method; +import java.util.Arrays; import jakarta.ws.rs.Path; import jakarta.ws.rs.WebApplicationException; @@ -17,14 +18,11 @@ import org.junit.jupiter.api.Test; import org.mockito.Mockito; -import no.nav.vedtak.mapper.json.DefaultJsonMapper; import no.nav.vedtak.sikkerhet.kontekst.IdentType; import no.nav.vedtak.sikkerhet.kontekst.KontekstHolder; import no.nav.vedtak.sikkerhet.kontekst.SikkerhetContext; import no.nav.vedtak.sikkerhet.oidc.config.AzureProperty; import no.nav.vedtak.sikkerhet.oidc.config.OpenIDProvider; -import no.nav.vedtak.sikkerhet.oidc.config.impl.WellKnownConfigurationHelper; -import no.nav.vedtak.sikkerhet.oidc.config.impl.WellKnownOpenIdConfiguration; import no.nav.vedtak.sikkerhet.oidc.token.OpenIDToken; import no.nav.vedtak.sikkerhet.oidc.token.TokenString; import no.nav.vedtak.sikkerhet.oidc.validator.OidcTokenValidator; @@ -33,34 +31,35 @@ class AuthenticationFilterDelegateTest { + private static final String SYSTEMBRUKER_PROP = "systembruker.username"; + private final OidcTokenValidator tokenValidator = Mockito.mock(OidcTokenValidator.class); private final ContainerRequestContext request = Mockito.mock(ContainerRequestContext.class); public void setupAll() { - var wellKnownUrl = OidcTokenGenerator.ISSUER + "/" + WellKnownConfigurationHelper.STANDARD_WELL_KNOWN_PATH; + var wellKnownUrl = OidcTokenGenerator.ISSUER + "/dummy"; System.setProperty(AzureProperty.AZURE_APP_WELL_KNOWN_URL.name(), wellKnownUrl); System.setProperty(AzureProperty.AZURE_APP_CLIENT_ID.name(), "OIDC"); - System.setProperty("systembruker.username", "JUnit Test"); + System.setProperty(AzureProperty.AZURE_APP_CLIENT_SECRET.name(), "dummy"); + System.setProperty(AzureProperty.AZURE_OPENID_CONFIG_ISSUER.name(), OidcTokenGenerator.ISSUER); + System.setProperty(AzureProperty.AZURE_OPENID_CONFIG_JWKS_URI.name(), OidcTokenGenerator.ISSUER + "/jwks_uri"); + System.setProperty(AzureProperty.AZURE_OPENID_CONFIG_TOKEN_ENDPOINT.name(), "dummy"); - var wellKnownResponse = new WellKnownOpenIdConfiguration(OidcTokenGenerator.ISSUER, OidcTokenGenerator.ISSUER + "/jwks_uri", "dummy"); - WellKnownConfigurationHelper.setWellKnownConfig(wellKnownUrl, DefaultJsonMapper.toJson(wellKnownResponse)); + System.setProperty(SYSTEMBRUKER_PROP, "JUnit Test"); OidcTokenValidatorConfig.addValidator(OpenIDProvider.AZUREAD, tokenValidator); } @BeforeEach public void setUp() { - WellKnownConfigurationHelper.unsetWellKnownConfig(); setupAll(); } @AfterEach public void teardown() { - System.clearProperty(AzureProperty.AZURE_APP_WELL_KNOWN_URL.name()); - System.clearProperty(AzureProperty.AZURE_APP_CLIENT_ID.name()); - System.clearProperty("systembruker.username"); - + Arrays.asList(AzureProperty.values()).forEach(p -> System.clearProperty(p.name())); + System.clearProperty(SYSTEMBRUKER_PROP); } @Test diff --git a/felles/oidc/src/main/java/no/nav/vedtak/sikkerhet/oidc/config/AzureProperty.java b/felles/oidc/src/main/java/no/nav/vedtak/sikkerhet/oidc/config/AzureProperty.java index a7da8c629..e645df691 100644 --- a/felles/oidc/src/main/java/no/nav/vedtak/sikkerhet/oidc/config/AzureProperty.java +++ b/felles/oidc/src/main/java/no/nav/vedtak/sikkerhet/oidc/config/AzureProperty.java @@ -10,6 +10,9 @@ public enum AzureProperty { AZURE_APP_JWK, AZURE_APP_PRE_AUTHORIZED_APPS, AZURE_APP_TENANT_ID, + AZURE_OPENID_CONFIG_ISSUER, + AZURE_OPENID_CONFIG_JWKS_URI, + AZURE_OPENID_CONFIG_TOKEN_ENDPOINT, AZURE_APP_WELL_KNOWN_URL; public static final String NAV_IDENT = "NAVident"; diff --git a/felles/oidc/src/main/java/no/nav/vedtak/sikkerhet/oidc/config/OpenIDConfiguration.java b/felles/oidc/src/main/java/no/nav/vedtak/sikkerhet/oidc/config/OpenIDConfiguration.java index 78c3c5f81..8186eecd6 100644 --- a/felles/oidc/src/main/java/no/nav/vedtak/sikkerhet/oidc/config/OpenIDConfiguration.java +++ b/felles/oidc/src/main/java/no/nav/vedtak/sikkerhet/oidc/config/OpenIDConfiguration.java @@ -2,8 +2,15 @@ import java.net.URI; -public record OpenIDConfiguration(OpenIDProvider type, URI issuer, URI jwksUri, URI tokenEndpoint, boolean useProxyForJwks, URI proxy, - String clientId, String clientSecret, boolean skipAudienceValidation) { +public record OpenIDConfiguration(OpenIDProvider type, + URI issuer, + URI jwksUri, + URI tokenEndpoint, + boolean useProxyForJwks, + URI proxy, + String clientId, + String clientSecret, + boolean skipAudienceValidation) { @Override public String toString() { return "OpenIDConfiguration{" + "type=" + type + ", clientId='" + clientId + ", issuer=" + issuer + '}'; diff --git a/felles/oidc/src/main/java/no/nav/vedtak/sikkerhet/oidc/config/TokenXProperty.java b/felles/oidc/src/main/java/no/nav/vedtak/sikkerhet/oidc/config/TokenXProperty.java index be6c84838..82d4e4215 100644 --- a/felles/oidc/src/main/java/no/nav/vedtak/sikkerhet/oidc/config/TokenXProperty.java +++ b/felles/oidc/src/main/java/no/nav/vedtak/sikkerhet/oidc/config/TokenXProperty.java @@ -10,5 +10,4 @@ public enum TokenXProperty { TOKEN_X_ISSUER, TOKEN_X_JWKS_URI, TOKEN_X_TOKEN_ENDPOINT; - } diff --git a/felles/oidc/src/main/java/no/nav/vedtak/sikkerhet/oidc/config/impl/OidcProviderConfig.java b/felles/oidc/src/main/java/no/nav/vedtak/sikkerhet/oidc/config/impl/OidcProviderConfig.java index 6093c09f7..463f94d17 100644 --- a/felles/oidc/src/main/java/no/nav/vedtak/sikkerhet/oidc/config/impl/OidcProviderConfig.java +++ b/felles/oidc/src/main/java/no/nav/vedtak/sikkerhet/oidc/config/impl/OidcProviderConfig.java @@ -86,14 +86,14 @@ private static Set hentConfig() { var azureKonfigUrl = getAzureProperty(AzureProperty.AZURE_APP_WELL_KNOWN_URL); if (azureKonfigUrl != null) { LOG.debug("Oppretter AzureAD konfig fra '{}'", azureKonfigUrl); - idProviderConfigs.add(createAzureAppConfiguration(azureKonfigUrl)); + idProviderConfigs.add(createAzureAppConfiguration()); } // TokenX var tokenxKonfigUrl = getTokenXProperty(TokenXProperty.TOKEN_X_WELL_KNOWN_URL); if (tokenxKonfigUrl != null) { LOG.debug("Oppretter TokenX konfig fra '{}'", tokenxKonfigUrl); - idProviderConfigs.add(createTokenXConfiguration(tokenxKonfigUrl)); + idProviderConfigs.add(createTokenXConfiguration()); } var providere = idProviderConfigs.stream().map(OpenIDConfiguration::type).map(OpenIDProvider::name).collect(Collectors.joining(", ")); @@ -115,24 +115,24 @@ private static OpenIDConfiguration createStsConfiguration(String wellKnownUrl) { } @SuppressWarnings("unused") - private static OpenIDConfiguration createAzureAppConfiguration(String wellKnownUrl) { - var proxyUrl = ENV.isFss() ? URI.create(ENV.getProperty(AZURE_HTTP_PROXY, getDefaultProxy())) : null; + private static OpenIDConfiguration createAzureAppConfiguration() { + var proxyUrl = (ENV.isFss() && ENV.isProd()) ? URI.create(ENV.getProperty(AZURE_HTTP_PROXY, getDefaultProxy())) : null; return createConfiguration(OpenIDProvider.AZUREAD, - getIssuerFra(wellKnownUrl, proxyUrl).orElseThrow(), - getJwksFra(wellKnownUrl, proxyUrl).orElseThrow(), - getTokenEndpointFra(wellKnownUrl, proxyUrl).orElseThrow(), - ENV.isFss(), + getAzureProperty(AzureProperty.AZURE_OPENID_CONFIG_ISSUER), + getAzureProperty(AzureProperty.AZURE_OPENID_CONFIG_JWKS_URI), + getAzureProperty(AzureProperty.AZURE_OPENID_CONFIG_TOKEN_ENDPOINT), + (ENV.isFss() && ENV.isProd()), proxyUrl, getAzureProperty(AzureProperty.AZURE_APP_CLIENT_ID), getAzureProperty(AzureProperty.AZURE_APP_CLIENT_SECRET), ENV.isLocal()); } - private static OpenIDConfiguration createTokenXConfiguration(String wellKnownUrl) { + private static OpenIDConfiguration createTokenXConfiguration() { return createConfiguration(OpenIDProvider.TOKENX, - getIssuerFra(wellKnownUrl).orElseThrow(), - getJwksFra(wellKnownUrl).orElseThrow(), - getTokenEndpointFra(wellKnownUrl).orElseThrow(), + getTokenXProperty(TokenXProperty.TOKEN_X_ISSUER), + getTokenXProperty(TokenXProperty.TOKEN_X_JWKS_URI), + getTokenXProperty(TokenXProperty.TOKEN_X_TOKEN_ENDPOINT), false, null, getTokenXProperty(TokenXProperty.TOKEN_X_CLIENT_ID), diff --git a/felles/oidc/src/main/java/no/nav/vedtak/sikkerhet/oidc/config/impl/WellKnownConfigurationHelper.java b/felles/oidc/src/main/java/no/nav/vedtak/sikkerhet/oidc/config/impl/WellKnownConfigurationHelper.java index 409d38f07..c78d657c7 100644 --- a/felles/oidc/src/main/java/no/nav/vedtak/sikkerhet/oidc/config/impl/WellKnownConfigurationHelper.java +++ b/felles/oidc/src/main/java/no/nav/vedtak/sikkerhet/oidc/config/impl/WellKnownConfigurationHelper.java @@ -9,7 +9,6 @@ import java.net.http.HttpResponse; import java.time.Duration; import java.util.Collections; -import java.util.HashMap; import java.util.LinkedHashMap; import java.util.Map; import java.util.Optional; @@ -19,14 +18,12 @@ import com.fasterxml.jackson.databind.ObjectReader; -import no.nav.foreldrepenger.konfig.Environment; import no.nav.vedtak.exception.TekniskException; import no.nav.vedtak.mapper.json.DefaultJsonMapper; public class WellKnownConfigurationHelper { private static final Logger LOG = LoggerFactory.getLogger(WellKnownConfigurationHelper.class); - private static final Environment ENV = Environment.current(); private static final ObjectReader READER = DefaultJsonMapper.getObjectMapper().readerFor(WellKnownOpenIdConfiguration.class); public static final String STANDARD_WELL_KNOWN_PATH = ".well-known/openid-configuration"; @@ -93,25 +90,4 @@ private static WellKnownOpenIdConfiguration hentWellKnownConfig(String wellKnown } } - public static void setWellKnownConfig(String wellKnownUrl, String jsonAsString) { - guardForTestOnly(); - wellKnownConfigMap.computeIfAbsent(wellKnownUrl, key -> { - try { - return READER.readValue(jsonAsString); - } catch (IOException e) { - throw new IllegalArgumentException("Ugyldig json: ", e); - } - }); - } - - public static void unsetWellKnownConfig() { - guardForTestOnly(); - wellKnownConfigMap = new HashMap<>(); - } - - private static void guardForTestOnly() { - if (!ENV.isLocal()) { - throw new IllegalStateException("Skal aldri kjøres i miljø!"); - } - } } diff --git a/felles/oidc/src/main/java/no/nav/vedtak/sikkerhet/oidc/config/impl/WellKnownOpenIdConfiguration.java b/felles/oidc/src/main/java/no/nav/vedtak/sikkerhet/oidc/config/impl/WellKnownOpenIdConfiguration.java index 434b943ed..44c3f9e21 100644 --- a/felles/oidc/src/main/java/no/nav/vedtak/sikkerhet/oidc/config/impl/WellKnownOpenIdConfiguration.java +++ b/felles/oidc/src/main/java/no/nav/vedtak/sikkerhet/oidc/config/impl/WellKnownOpenIdConfiguration.java @@ -4,5 +4,4 @@ * Interessante elementer fra en standard respons fra .well-known/openid-configuration */ public record WellKnownOpenIdConfiguration(String issuer, String jwks_uri, String token_endpoint) { - } diff --git a/felles/oidc/src/test/java/no/nav/vedtak/sikkerhet/oidc/validator/OidcTokenValidatorTest.java b/felles/oidc/src/test/java/no/nav/vedtak/sikkerhet/oidc/validator/OidcTokenValidatorTest.java index 7fb705d5b..9e55398ae 100644 --- a/felles/oidc/src/test/java/no/nav/vedtak/sikkerhet/oidc/validator/OidcTokenValidatorTest.java +++ b/felles/oidc/src/test/java/no/nav/vedtak/sikkerhet/oidc/validator/OidcTokenValidatorTest.java @@ -14,13 +14,10 @@ import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; -import no.nav.vedtak.mapper.json.DefaultJsonMapper; import no.nav.vedtak.sikkerhet.kontekst.Groups; import no.nav.vedtak.sikkerhet.oidc.config.AzureProperty; import no.nav.vedtak.sikkerhet.oidc.config.OpenIDProvider; import no.nav.vedtak.sikkerhet.oidc.config.impl.OidcProviderConfig; -import no.nav.vedtak.sikkerhet.oidc.config.impl.WellKnownConfigurationHelper; -import no.nav.vedtak.sikkerhet.oidc.config.impl.WellKnownOpenIdConfiguration; import no.nav.vedtak.sikkerhet.oidc.jwks.JwksKeyHandlerImpl; import no.nav.vedtak.sikkerhet.oidc.token.TokenString; @@ -30,15 +27,22 @@ class OidcTokenValidatorTest { @BeforeEach public void beforeEach() { - var wellKnownUrl = OidcTokenGenerator.ISSUER + "/" + WellKnownConfigurationHelper.STANDARD_WELL_KNOWN_PATH; + var wellKnownUrl = OidcTokenGenerator.ISSUER + "/dummy_url"; System.setProperty(AzureProperty.AZURE_APP_WELL_KNOWN_URL.name(), wellKnownUrl); System.setProperty(AzureProperty.AZURE_APP_CLIENT_ID.name(), "OIDC"); - var wellKnownResponse = new WellKnownOpenIdConfiguration(OidcTokenGenerator.ISSUER, "dummy", "dummy"); - WellKnownConfigurationHelper.setWellKnownConfig(wellKnownUrl, DefaultJsonMapper.toJson(wellKnownResponse)); + System.setProperty(AzureProperty.AZURE_APP_CLIENT_SECRET.name(), "dummy"); + System.setProperty(AzureProperty.AZURE_OPENID_CONFIG_ISSUER.name(), OidcTokenGenerator.ISSUER); + System.setProperty(AzureProperty.AZURE_OPENID_CONFIG_JWKS_URI.name(), "dummy"); + System.setProperty(AzureProperty.AZURE_OPENID_CONFIG_TOKEN_ENDPOINT.name(), "dummy"); tokenValidator = new OidcTokenValidator(OidcProviderConfig.instance().getOidcConfig(OpenIDProvider.AZUREAD).orElseThrow(), new JwksKeyHandlerFromString(KeyStoreTool.getJwks())); } + @AfterEach + public void cleanSystemProperties() { + Arrays.stream(AzureProperty.values()).forEach(p -> System.clearProperty(p.name())); + } + @Test void skal_godta_token_som_har_forventede_verdier() { var token = new OidcTokenGenerator().createHeaderTokenHolder(); @@ -257,8 +261,6 @@ void skal_ikke_godta_token_som_er_signert_med_feil_sertifikat() { @Test void skal_ikke_godta_å_validere_token_når_det_mangler_konfigurasjon_for_issuer() { - WellKnownConfigurationHelper.setWellKnownConfig("azureAD", "{}"); - var keyHandler = new JwksKeyHandlerFromString(KeyStoreTool.getJwks()); var message = assertThrows(IllegalStateException.class, () -> new OidcTokenValidator(OpenIDProvider.AZUREAD, null, keyHandler, "OIDC")); @@ -315,13 +317,6 @@ void skal_ikke_godta_noe_som_ikke_er_et_gyldig_JWT() { assertInvalid(result4, "Invalid OIDC JWT processing failed"); } - @AfterEach - public void cleanSystemProperties() { - System.clearProperty(AzureProperty.AZURE_APP_WELL_KNOWN_URL.name()); - System.clearProperty(AzureProperty.AZURE_APP_CLIENT_ID.name()); - - } - private static class JwksKeyHandlerFromString extends JwksKeyHandlerImpl { private JwksKeyHandlerFromString(String jwks) { super(() -> jwks, URI.create("http://www.vg.no"));