Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Robust sjekk på annotering, logg om STS-endepunkt er annotert #1377

Merged
merged 1 commit into from
Aug 19, 2024
Merged

Robust sjekk på annotering, logg om STS-endepunkt er annotert #1377

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 31 additions & 10 deletions ...auth-filter/src/main/java/no/nav/vedtak/sikkerhet/jaxrs/AuthenticationFilterDelegate.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,24 +1,27 @@
package no.nav.vedtak.sikkerhet.jaxrs;

import java.lang.annotation.Annotation;
import java.lang.reflect.Method;
import java.time.Instant;
import java.util.Optional;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.slf4j.MDC;

import jakarta.ws.rs.WebApplicationException;
import jakarta.ws.rs.container.ContainerRequestContext;
import jakarta.ws.rs.container.ResourceInfo;
import jakarta.ws.rs.core.HttpHeaders;
import jakarta.ws.rs.core.Response;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.slf4j.MDC;

import no.nav.vedtak.exception.TekniskException;
import no.nav.vedtak.log.mdc.MDCOperations;
import no.nav.vedtak.sikkerhet.kontekst.BasisKontekst;
import no.nav.vedtak.sikkerhet.kontekst.KontekstHolder;
import no.nav.vedtak.sikkerhet.kontekst.RequestKontekst;
import no.nav.vedtak.sikkerhet.oidc.config.ConfigProvider;
import no.nav.vedtak.sikkerhet.oidc.config.OpenIDProvider;
import no.nav.vedtak.sikkerhet.oidc.token.OpenIDToken;
import no.nav.vedtak.sikkerhet.oidc.token.TokenString;
import no.nav.vedtak.sikkerhet.oidc.validator.JwtUtil;
Expand All @@ -45,7 +48,7 @@ private AuthenticationFilterDelegate() {
public static void validerSettKontekst(ResourceInfo resourceInfo, ContainerRequestContext ctx) {
try {
Method method = resourceInfo.getResourceMethod();
var utenAutentiseringRessurs = method.getAnnotation(UtenAutentisering.class);
var utenAutentiseringRessurs = getAnnotation(resourceInfo, UtenAutentisering.class);
var metodenavn = method.getName();
if (KontekstHolder.harKontekst()) {
LOG.info("Kall til {} hadde kontekst {}", metodenavn, KontekstHolder.getKontekst().getKompaktUid());
Expand All @@ -55,13 +58,11 @@ public static void validerSettKontekst(ResourceInfo resourceInfo, ContainerReque
setCallAndConsumerId(ctx);
LOG.trace("{} i klasse {}", metodenavn, method.getDeclaringClass());
// Kan vurdere å unnta metodenavn = getOpenApi og getDeclaringClass startsWith io.swagger + endsWith OpenApiResource
if (utenAutentiseringRessurs != null ) {
if (utenAutentiseringRessurs.isPresent()) {
KontekstHolder.setKontekst(BasisKontekst.ikkeAutentisertRequest(MDCOperations.getConsumerId()));
LOG.trace("{} er whitelisted", metodenavn);
} else {
var tokenString = getTokenFromHeader(ctx)
.orElseThrow(() -> new ValideringsFeil("Mangler token"));
validerTokenSetKontekst(tokenString);
validerTokenSetKontekst(resourceInfo, ctx);
setUserAndConsumerId(KontekstHolder.getKontekst().getUid());
}
} catch (TekniskException | TokenFeil e) {
Expand Down Expand Up @@ -97,15 +98,21 @@ private static void setUserAndConsumerId(String subject) {
}
}

private static <T extends Annotation> Optional<T> getAnnotation(ResourceInfo resourceInfo, Class<T> tClass) {
return Optional.ofNullable(resourceInfo.getResourceMethod().getAnnotation(tClass))
.or(() -> Optional.ofNullable(resourceInfo.getResourceClass().getAnnotation(tClass)));
}

private static Optional<TokenString> getTokenFromHeader(ContainerRequestContext request) {
String headerValue = request.getHeaderString(AUTHORIZATION_HEADER);
return headerValue != null && headerValue.startsWith(OpenIDToken.OIDC_DEFAULT_TOKEN_TYPE)
? Optional.of(new TokenString(headerValue.substring(OpenIDToken.OIDC_DEFAULT_TOKEN_TYPE.length())))
: Optional.empty();
}

public static void validerTokenSetKontekst(TokenString tokenString) {
public static void validerTokenSetKontekst(ResourceInfo resourceInfo, ContainerRequestContext ctx) {
// Sett opp OpenIDToken
var tokenString = getTokenFromHeader(ctx).orElseThrow(() -> new ValideringsFeil("Mangler token"));
var claims = JwtUtil.getClaims(tokenString.token());
var configuration = ConfigProvider.getOpenIDConfiguration(JwtUtil.getIssuer(claims))
.orElseThrow(() -> new TokenFeil("Token mangler issuer claim"));
Expand All @@ -124,8 +131,22 @@ public static void validerTokenSetKontekst(TokenString tokenString) {
} else {
throw new ValideringsFeil("Ugyldig token");
}
logStsUsage(configuration.type(), resourceInfo, resourceInfo.getResourceMethod().getName());
}

private static void logStsUsage(OpenIDProvider type, ResourceInfo resourceInfo, String metodenavn) {
if (OpenIDProvider.STS.equals(type)) {
var annotertTillatSts = getAnnotation(resourceInfo, TillatSTS.class).isPresent();
if (annotertTillatSts) {
LOG.info("Innkommende STS - metode {} har annotering TillatSTS", metodenavn);
} else {
LOG.info("Innkommende STS - metode {} mangler annotering TillatSTS", metodenavn);
}
}
}



private static class TokenFeil extends RuntimeException {
TokenFeil(String message) {
super(message);
Expand Down