navikt · mrsladek · Aug 14, 2024 · Aug 13, 2024 · Aug 14, 2024
@@ -5,6 +5,7 @@
 import static org.mockito.Mockito.when;
 
 import java.lang.reflect.Method;
+import java.util.Arrays;
 
 import jakarta.ws.rs.Path;
 import jakarta.ws.rs.WebApplicationException;
@@ -17,14 +18,11 @@
 import org.junit.jupiter.api.Test;
 import org.mockito.Mockito;
 
-import no.nav.vedtak.mapper.json.DefaultJsonMapper;
 import no.nav.vedtak.sikkerhet.kontekst.IdentType;
 import no.nav.vedtak.sikkerhet.kontekst.KontekstHolder;
 import no.nav.vedtak.sikkerhet.kontekst.SikkerhetContext;
 import no.nav.vedtak.sikkerhet.oidc.config.AzureProperty;
 import no.nav.vedtak.sikkerhet.oidc.config.OpenIDProvider;
-import no.nav.vedtak.sikkerhet.oidc.config.impl.WellKnownConfigurationHelper;
-import no.nav.vedtak.sikkerhet.oidc.config.impl.WellKnownOpenIdConfiguration;
 import no.nav.vedtak.sikkerhet.oidc.token.OpenIDToken;
 import no.nav.vedtak.sikkerhet.oidc.token.TokenString;
 import no.nav.vedtak.sikkerhet.oidc.validator.OidcTokenValidator;
@@ -33,34 +31,35 @@
 
 class AuthenticationFilterDelegateTest {
 
+    private static final String SYSTEMBRUKER_PROP = "systembruker.username";
+
     private final OidcTokenValidator tokenValidator = Mockito.mock(OidcTokenValidator.class);
 
     private final ContainerRequestContext request = Mockito.mock(ContainerRequestContext.class);
 
     public void setupAll() {
-        var wellKnownUrl = OidcTokenGenerator.ISSUER + "/" + WellKnownConfigurationHelper.STANDARD_WELL_KNOWN_PATH;
+        var wellKnownUrl = OidcTokenGenerator.ISSUER + "/dummy";
         System.setProperty(AzureProperty.AZURE_APP_WELL_KNOWN_URL.name(), wellKnownUrl);
         System.setProperty(AzureProperty.AZURE_APP_CLIENT_ID.name(), "OIDC");
-        System.setProperty("systembruker.username", "JUnit Test");
+        System.setProperty(AzureProperty.AZURE_APP_CLIENT_SECRET.name(), "dummy");
+        System.setProperty(AzureProperty.AZURE_OPENID_CONFIG_ISSUER.name(), OidcTokenGenerator.ISSUER);
+        System.setProperty(AzureProperty.AZURE_OPENID_CONFIG_JWKS_URI.name(), OidcTokenGenerator.ISSUER + "/jwks_uri");
+        System.setProperty(AzureProperty.AZURE_OPENID_CONFIG_TOKEN_ENDPOINT.name(), "dummy");
 
-        var wellKnownResponse = new WellKnownOpenIdConfiguration(OidcTokenGenerator.ISSUER, OidcTokenGenerator.ISSUER + "/jwks_uri", "dummy");
-        WellKnownConfigurationHelper.setWellKnownConfig(wellKnownUrl, DefaultJsonMapper.toJson(wellKnownResponse));
+        System.setProperty(SYSTEMBRUKER_PROP, "JUnit Test");
 
         OidcTokenValidatorConfig.addValidator(OpenIDProvider.AZUREAD, tokenValidator);
     }
 
     @BeforeEach
     public void setUp() {
-        WellKnownConfigurationHelper.unsetWellKnownConfig();
         setupAll();
     }
 
     @AfterEach
     public void teardown() {
-        System.clearProperty(AzureProperty.AZURE_APP_WELL_KNOWN_URL.name());
-        System.clearProperty(AzureProperty.AZURE_APP_CLIENT_ID.name());
-        System.clearProperty("systembruker.username");
-
+        Arrays.asList(AzureProperty.values()).forEach(p -> System.clearProperty(p.name()));
+        System.clearProperty(SYSTEMBRUKER_PROP);
     }
 
     @Test

@@ -10,6 +10,9 @@ public enum AzureProperty {
     AZURE_APP_JWK,
     AZURE_APP_PRE_AUTHORIZED_APPS,
     AZURE_APP_TENANT_ID,
+    AZURE_OPENID_CONFIG_ISSUER,
+    AZURE_OPENID_CONFIG_JWKS_URI,
+    AZURE_OPENID_CONFIG_TOKEN_ENDPOINT,
     AZURE_APP_WELL_KNOWN_URL;
 
     public static final String NAV_IDENT = "NAVident";

@@ -2,8 +2,15 @@
 
 import java.net.URI;
 
-public record OpenIDConfiguration(OpenIDProvider type, URI issuer, URI jwksUri, URI tokenEndpoint, boolean useProxyForJwks, URI proxy,
-                                  String clientId, String clientSecret, boolean skipAudienceValidation) {
+public record OpenIDConfiguration(OpenIDProvider type,
+                                  URI issuer,
+                                  URI jwksUri,
+                                  URI tokenEndpoint,
+                                  boolean useProxyForJwks,
+                                  URI proxy,
+                                  String clientId,
+                                  String clientSecret,
+                                  boolean skipAudienceValidation) {
     @Override
     public String toString() {
         return "OpenIDConfiguration{" + "type=" + type + ", clientId='" + clientId + ", issuer=" + issuer + '}';

@@ -10,5 +10,4 @@ public enum TokenXProperty {
     TOKEN_X_ISSUER,
     TOKEN_X_JWKS_URI,
     TOKEN_X_TOKEN_ENDPOINT;
-
 }
@@ -86,14 +86,14 @@ private static Set<OpenIDConfiguration> hentConfig() {
         var azureKonfigUrl = getAzureProperty(AzureProperty.AZURE_APP_WELL_KNOWN_URL);
         if (azureKonfigUrl != null) {
             LOG.debug("Oppretter AzureAD konfig fra '{}'", azureKonfigUrl);
-            idProviderConfigs.add(createAzureAppConfiguration(azureKonfigUrl));
+            idProviderConfigs.add(createAzureAppConfiguration());
         }
 
         // TokenX
         var tokenxKonfigUrl = getTokenXProperty(TokenXProperty.TOKEN_X_WELL_KNOWN_URL);
         if (tokenxKonfigUrl != null) {
             LOG.debug("Oppretter TokenX konfig fra '{}'", tokenxKonfigUrl);
-            idProviderConfigs.add(createTokenXConfiguration(tokenxKonfigUrl));
+            idProviderConfigs.add(createTokenXConfiguration());
         }
 
         var providere = idProviderConfigs.stream().map(OpenIDConfiguration::type).map(OpenIDProvider::name).collect(Collectors.joining(", "));
@@ -115,24 +115,24 @@ private static OpenIDConfiguration createStsConfiguration(String wellKnownUrl) {
     }
 
     @SuppressWarnings("unused")
-    private static OpenIDConfiguration createAzureAppConfiguration(String wellKnownUrl) {
-        var proxyUrl = ENV.isFss() ? URI.create(ENV.getProperty(AZURE_HTTP_PROXY, getDefaultProxy())) : null;
+    private static OpenIDConfiguration createAzureAppConfiguration() {
+        var proxyUrl = (ENV.isFss() && ENV.isProd()) ? URI.create(ENV.getProperty(AZURE_HTTP_PROXY, getDefaultProxy())) : null;
         return createConfiguration(OpenIDProvider.AZUREAD,
-            getIssuerFra(wellKnownUrl, proxyUrl).orElseThrow(),
-            getJwksFra(wellKnownUrl, proxyUrl).orElseThrow(),
-            getTokenEndpointFra(wellKnownUrl, proxyUrl).orElseThrow(),
-            ENV.isFss(),
+            getAzureProperty(AzureProperty.AZURE_OPENID_CONFIG_ISSUER),
+            getAzureProperty(AzureProperty.AZURE_OPENID_CONFIG_JWKS_URI),
+            getAzureProperty(AzureProperty.AZURE_OPENID_CONFIG_TOKEN_ENDPOINT),
+            (ENV.isFss() && ENV.isProd()),
             proxyUrl,
             getAzureProperty(AzureProperty.AZURE_APP_CLIENT_ID),
             getAzureProperty(AzureProperty.AZURE_APP_CLIENT_SECRET),
             ENV.isLocal());
     }
 
-    private static OpenIDConfiguration createTokenXConfiguration(String wellKnownUrl) {
+    private static OpenIDConfiguration createTokenXConfiguration() {
         return createConfiguration(OpenIDProvider.TOKENX,
-            getIssuerFra(wellKnownUrl).orElseThrow(),
-            getJwksFra(wellKnownUrl).orElseThrow(),
-            getTokenEndpointFra(wellKnownUrl).orElseThrow(),
+            getTokenXProperty(TokenXProperty.TOKEN_X_ISSUER),
+            getTokenXProperty(TokenXProperty.TOKEN_X_JWKS_URI),
+            getTokenXProperty(TokenXProperty.TOKEN_X_TOKEN_ENDPOINT),
             false,
             null,
             getTokenXProperty(TokenXProperty.TOKEN_X_CLIENT_ID),

@@ -9,7 +9,6 @@
 import java.net.http.HttpResponse;
 import java.time.Duration;
 import java.util.Collections;
-import java.util.HashMap;
 import java.util.LinkedHashMap;
 import java.util.Map;
 import java.util.Optional;
@@ -19,14 +18,12 @@
 
 import com.fasterxml.jackson.databind.ObjectReader;
 
-import no.nav.foreldrepenger.konfig.Environment;
 import no.nav.vedtak.exception.TekniskException;
 import no.nav.vedtak.mapper.json.DefaultJsonMapper;
 
 public class WellKnownConfigurationHelper {
 
     private static final Logger LOG = LoggerFactory.getLogger(WellKnownConfigurationHelper.class);
-    private static final Environment ENV = Environment.current();
     private static final ObjectReader READER = DefaultJsonMapper.getObjectMapper().readerFor(WellKnownOpenIdConfiguration.class);
 
     public static final String STANDARD_WELL_KNOWN_PATH = ".well-known/openid-configuration";
@@ -93,25 +90,4 @@ private static WellKnownOpenIdConfiguration hentWellKnownConfig(String wellKnown
         }
     }
 
-    public static void setWellKnownConfig(String wellKnownUrl, String jsonAsString) {
-        guardForTestOnly();
-        wellKnownConfigMap.computeIfAbsent(wellKnownUrl, key -> {
-            try {
-                return READER.readValue(jsonAsString);
-            } catch (IOException e) {
-                throw new IllegalArgumentException("Ugyldig json: ", e);
-            }
-        });
-    }
-
-    public static void unsetWellKnownConfig() {
-        guardForTestOnly();
-        wellKnownConfigMap = new HashMap<>();
-    }
-
-    private static void guardForTestOnly() {
-        if (!ENV.isLocal()) {
-            throw new IllegalStateException("Skal aldri kjøres i miljø!");
-        }
-    }
 }
@@ -4,5 +4,4 @@
  * Interessante elementer fra en standard respons fra .well-known/openid-configuration
  */
 public record WellKnownOpenIdConfiguration(String issuer, String jwks_uri, String token_endpoint) {
-
 }
@@ -14,13 +14,10 @@
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 
-import no.nav.vedtak.mapper.json.DefaultJsonMapper;
 import no.nav.vedtak.sikkerhet.kontekst.Groups;
 import no.nav.vedtak.sikkerhet.oidc.config.AzureProperty;
 import no.nav.vedtak.sikkerhet.oidc.config.OpenIDProvider;
 import no.nav.vedtak.sikkerhet.oidc.config.impl.OidcProviderConfig;
-import no.nav.vedtak.sikkerhet.oidc.config.impl.WellKnownConfigurationHelper;
-import no.nav.vedtak.sikkerhet.oidc.config.impl.WellKnownOpenIdConfiguration;
 import no.nav.vedtak.sikkerhet.oidc.jwks.JwksKeyHandlerImpl;
 import no.nav.vedtak.sikkerhet.oidc.token.TokenString;
 
@@ -30,15 +27,22 @@ class OidcTokenValidatorTest {
 
     @BeforeEach
     public void beforeEach() {
-        var wellKnownUrl = OidcTokenGenerator.ISSUER + "/" + WellKnownConfigurationHelper.STANDARD_WELL_KNOWN_PATH;
+        var wellKnownUrl = OidcTokenGenerator.ISSUER + "/dummy_url";
         System.setProperty(AzureProperty.AZURE_APP_WELL_KNOWN_URL.name(), wellKnownUrl);
         System.setProperty(AzureProperty.AZURE_APP_CLIENT_ID.name(), "OIDC");
-        var wellKnownResponse = new WellKnownOpenIdConfiguration(OidcTokenGenerator.ISSUER, "dummy", "dummy");
-        WellKnownConfigurationHelper.setWellKnownConfig(wellKnownUrl, DefaultJsonMapper.toJson(wellKnownResponse));
+        System.setProperty(AzureProperty.AZURE_APP_CLIENT_SECRET.name(), "dummy");
+        System.setProperty(AzureProperty.AZURE_OPENID_CONFIG_ISSUER.name(), OidcTokenGenerator.ISSUER);
+        System.setProperty(AzureProperty.AZURE_OPENID_CONFIG_JWKS_URI.name(), "dummy");
+        System.setProperty(AzureProperty.AZURE_OPENID_CONFIG_TOKEN_ENDPOINT.name(), "dummy");
         tokenValidator = new OidcTokenValidator(OidcProviderConfig.instance().getOidcConfig(OpenIDProvider.AZUREAD).orElseThrow(),
             new JwksKeyHandlerFromString(KeyStoreTool.getJwks()));
     }
 
+    @AfterEach
+    public void cleanSystemProperties() {
+        Arrays.stream(AzureProperty.values()).forEach(p -> System.clearProperty(p.name()));
+    }
+
     @Test
     void skal_godta_token_som_har_forventede_verdier() {
         var token = new OidcTokenGenerator().createHeaderTokenHolder();
@@ -257,8 +261,6 @@ void skal_ikke_godta_token_som_er_signert_med_feil_sertifikat() {
 
     @Test
     void skal_ikke_godta_å_validere_token_når_det_mangler_konfigurasjon_for_issuer() {
-        WellKnownConfigurationHelper.setWellKnownConfig("azureAD", "{}");
-
         var keyHandler = new JwksKeyHandlerFromString(KeyStoreTool.getJwks());
         var message = assertThrows(IllegalStateException.class,
             () -> new OidcTokenValidator(OpenIDProvider.AZUREAD, null, keyHandler, "OIDC"));
@@ -315,13 +317,6 @@ void skal_ikke_godta_noe_som_ikke_er_et_gyldig_JWT() {
         assertInvalid(result4, "Invalid OIDC JWT processing failed");
     }
 
-    @AfterEach
-    public void cleanSystemProperties() {
-        System.clearProperty(AzureProperty.AZURE_APP_WELL_KNOWN_URL.name());
-        System.clearProperty(AzureProperty.AZURE_APP_CLIENT_ID.name());
-
-    }
-
     private static class JwksKeyHandlerFromString extends JwksKeyHandlerImpl {
         private JwksKeyHandlerFromString(String jwks) {
             super(() -> jwks, URI.create("http://www.vg.no"));
-Original file line number
+Diff line change
@@ Expand Up / @@ -4,5 +4,4 @@ @@
      * Interessante elementer fra en standard respons fra .well-known/openid-configuration
      */
     public record WellKnownOpenIdConfiguration(String issuer, String jwks_uri, String token_endpoint) {
     }