From 21e00b7788e5d878f81bd02c0c857f684f085f1f Mon Sep 17 00:00:00 2001 From: Jens-Otto Larsen Date: Thu, 15 Aug 2024 21:23:58 +0200 Subject: [PATCH] =?UTF-8?q?Robust=20sjekk=20p=C3=A5=20annotering,=20logg?= =?UTF-8?q?=20om=20STS-endepunkt=20er=20annotert?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../jaxrs/AuthenticationFilterDelegate.java | 41 ++++++++++++++----- 1 file changed, 31 insertions(+), 10 deletions(-) diff --git a/felles/auth-filter/src/main/java/no/nav/vedtak/sikkerhet/jaxrs/AuthenticationFilterDelegate.java b/felles/auth-filter/src/main/java/no/nav/vedtak/sikkerhet/jaxrs/AuthenticationFilterDelegate.java index e4feba99f..6560b948b 100644 --- a/felles/auth-filter/src/main/java/no/nav/vedtak/sikkerhet/jaxrs/AuthenticationFilterDelegate.java +++ b/felles/auth-filter/src/main/java/no/nav/vedtak/sikkerhet/jaxrs/AuthenticationFilterDelegate.java @@ -1,24 +1,27 @@ package no.nav.vedtak.sikkerhet.jaxrs; +import java.lang.annotation.Annotation; import java.lang.reflect.Method; import java.time.Instant; import java.util.Optional; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; -import org.slf4j.MDC; - import jakarta.ws.rs.WebApplicationException; import jakarta.ws.rs.container.ContainerRequestContext; import jakarta.ws.rs.container.ResourceInfo; import jakarta.ws.rs.core.HttpHeaders; import jakarta.ws.rs.core.Response; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.slf4j.MDC; + import no.nav.vedtak.exception.TekniskException; import no.nav.vedtak.log.mdc.MDCOperations; import no.nav.vedtak.sikkerhet.kontekst.BasisKontekst; import no.nav.vedtak.sikkerhet.kontekst.KontekstHolder; import no.nav.vedtak.sikkerhet.kontekst.RequestKontekst; import no.nav.vedtak.sikkerhet.oidc.config.ConfigProvider; +import no.nav.vedtak.sikkerhet.oidc.config.OpenIDProvider; import no.nav.vedtak.sikkerhet.oidc.token.OpenIDToken; import no.nav.vedtak.sikkerhet.oidc.token.TokenString; import no.nav.vedtak.sikkerhet.oidc.validator.JwtUtil; @@ -45,7 +48,7 @@ private AuthenticationFilterDelegate() { public static void validerSettKontekst(ResourceInfo resourceInfo, ContainerRequestContext ctx) { try { Method method = resourceInfo.getResourceMethod(); - var utenAutentiseringRessurs = method.getAnnotation(UtenAutentisering.class); + var utenAutentiseringRessurs = getAnnotation(resourceInfo, UtenAutentisering.class); var metodenavn = method.getName(); if (KontekstHolder.harKontekst()) { LOG.info("Kall til {} hadde kontekst {}", metodenavn, KontekstHolder.getKontekst().getKompaktUid()); @@ -55,13 +58,11 @@ public static void validerSettKontekst(ResourceInfo resourceInfo, ContainerReque setCallAndConsumerId(ctx); LOG.trace("{} i klasse {}", metodenavn, method.getDeclaringClass()); // Kan vurdere å unnta metodenavn = getOpenApi og getDeclaringClass startsWith io.swagger + endsWith OpenApiResource - if (utenAutentiseringRessurs != null ) { + if (utenAutentiseringRessurs.isPresent()) { KontekstHolder.setKontekst(BasisKontekst.ikkeAutentisertRequest(MDCOperations.getConsumerId())); LOG.trace("{} er whitelisted", metodenavn); } else { - var tokenString = getTokenFromHeader(ctx) - .orElseThrow(() -> new ValideringsFeil("Mangler token")); - validerTokenSetKontekst(tokenString); + validerTokenSetKontekst(resourceInfo, ctx); setUserAndConsumerId(KontekstHolder.getKontekst().getUid()); } } catch (TekniskException | TokenFeil e) { @@ -97,6 +98,11 @@ private static void setUserAndConsumerId(String subject) { } } + private static Optional getAnnotation(ResourceInfo resourceInfo, Class tClass) { + return Optional.ofNullable(resourceInfo.getResourceMethod().getAnnotation(tClass)) + .or(() -> Optional.ofNullable(resourceInfo.getResourceClass().getAnnotation(tClass))); + } + private static Optional getTokenFromHeader(ContainerRequestContext request) { String headerValue = request.getHeaderString(AUTHORIZATION_HEADER); return headerValue != null && headerValue.startsWith(OpenIDToken.OIDC_DEFAULT_TOKEN_TYPE) @@ -104,8 +110,9 @@ private static Optional getTokenFromHeader(ContainerRequestContext : Optional.empty(); } - public static void validerTokenSetKontekst(TokenString tokenString) { + public static void validerTokenSetKontekst(ResourceInfo resourceInfo, ContainerRequestContext ctx) { // Sett opp OpenIDToken + var tokenString = getTokenFromHeader(ctx).orElseThrow(() -> new ValideringsFeil("Mangler token")); var claims = JwtUtil.getClaims(tokenString.token()); var configuration = ConfigProvider.getOpenIDConfiguration(JwtUtil.getIssuer(claims)) .orElseThrow(() -> new TokenFeil("Token mangler issuer claim")); @@ -124,8 +131,22 @@ public static void validerTokenSetKontekst(TokenString tokenString) { } else { throw new ValideringsFeil("Ugyldig token"); } + logStsUsage(configuration.type(), resourceInfo, resourceInfo.getResourceMethod().getName()); } + private static void logStsUsage(OpenIDProvider type, ResourceInfo resourceInfo, String metodenavn) { + if (OpenIDProvider.STS.equals(type)) { + var annotertTillatSts = getAnnotation(resourceInfo, TillatSTS.class).isPresent(); + if (annotertTillatSts) { + LOG.info("Innkommende STS - metode {} har annotering TillatSTS", metodenavn); + } else { + LOG.info("Innkommende STS - metode {} mangler annotering TillatSTS", metodenavn); + } + } + } + + + private static class TokenFeil extends RuntimeException { TokenFeil(String message) { super(message);