Revert "Revert "Bruker azure-token for k9kall, ryddet vekk referenser…

… til STS"" (#1079)
navikt · Jan 19, 2024 · 7b6fbd5 · 7b6fbd5
1 parent d6c10dc
commit 7b6fbd5
Show file tree

Hide file tree

Showing 10 changed files with 7 additions and 144 deletions.
diff --git a/nais/dev-fss.yml b/nais/dev-fss.yml
@@ -89,14 +89,8 @@ spec:
       value: api://dev-fss.pdl.pdl-api/.default
 
     # Sikkerhet:
-    - name: NAIS_STS_TOKEN_ENDPOINT
-      value: https://security-token-service.nais.preprod.local/rest/v1/sts/token
     - name: ABAC_PDP_ENDPOINT_URL
       value: http://abac-k9.k9saksbehandling/application/authorize
-    - name: APP_NAISSTS_aud
-      value: "srvk9sak"
-    - name: APP_NAISSTS_discovery_url
-      value: https://security-token-service.nais.preprod.local/rest/v1/sts/.well-known/openid-configuration
 
     # Audit logging
     - name: AUDITLOGGER_ENABLED

diff --git a/nais/prod-fss.yml b/nais/prod-fss.yml
@@ -90,14 +90,8 @@ spec:
       value: api://prod-fss.pdl.pdl-api/.default
 
     # Sikkerhet:
-    - name: NAIS_STS_TOKEN_ENDPOINT
-      value: https://security-token-service.nais.adeo.no/rest/v1/sts/token
     - name: ABAC_PDP_ENDPOINT_URL
       value: http://abac-k9.k9saksbehandling/application/authorize
-    - name: APP_NAISSTS_aud
-      value: "srvk9sak"
-    - name: APP_NAISSTS_discovery_url
-      value: https://security-token-service.nais.adeo.no/rest/v1/sts/.well-known/openid-configuration
 
     # Audit logging
     - name: AUDITLOGGER_ENABLED

diff --git a/src/main/kotlin/no/nav/k9punsj/CoroutineRequestContext.kt b/src/main/kotlin/no/nav/k9punsj/CoroutineRequestContext.kt
@@ -56,21 +56,6 @@ private fun CoroutineContext.settAuthentication(authorizationHeader: String) =
 internal fun CoroutineContext.hentAuthentication(): Authentication =
     hentAttributt("authentication") as? Authentication ?: throw IllegalStateException("Authentication ikke satt")
 
-internal fun K9SakRoutes(
-    authenticationHandler: AuthenticationHandler,
-    routes: CoRouterFunctionDsl.() -> Unit
-) = Routes(
-    authenticationHandler,
-    routes,
-    setOf("naissts", "azurev2")
-) { jwtToken ->
-    if(jwtToken.jwtTokenClaims.issuer.contains("security-token-service")) {
-        jwtToken.containsClaim("sub", "srvk9sak")
-    } else {
-        true
-    }
-}
-
 internal fun SaksbehandlerRoutes(
     authenticationHandler: AuthenticationHandler,
     routes: CoRouterFunctionDsl.() -> Unit

diff --git a/src/main/kotlin/no/nav/k9punsj/integrasjoner/k9sak/K9SakServiceImpl.kt b/src/main/kotlin/no/nav/k9punsj/integrasjoner/k9sak/K9SakServiceImpl.kt
@@ -55,7 +55,7 @@ import kotlin.coroutines.coroutineContext
 class K9SakServiceImpl(
     @Value("\${no.nav.k9sak.base_url}") private val baseUrl: URI,
     @Value("\${no.nav.k9sak.scope}") private val k9sakScope: Set<String>,
-    @Qualifier("sts") private val accessTokenClient: AccessTokenClient,
+    @Qualifier("azure") private val accessTokenClient: AccessTokenClient,
     private val journalpostService: JournalpostService,
     private val personService: PersonService
 ) : K9SakService {
@@ -292,7 +292,7 @@ class K9SakServiceImpl(
             .body(body)
             .header(
                 HttpHeaders.ACCEPT to "application/json",
-                HttpHeaders.AUTHORIZATION to cachedAccessTokenClient.getAccessToken(emptySet()).asAuthoriationHeader(),
+                HttpHeaders.AUTHORIZATION to cachedAccessTokenClient.getAccessToken(k9sakScope).asAuthoriationHeader(),
                 HttpHeaders.CONTENT_TYPE to "application/json",
                 "callId" to hentCallId()
             ).awaitStringResponseResult()

diff --git a/src/main/kotlin/no/nav/k9punsj/journalpost/JournalpostInfoRoutes.kt b/src/main/kotlin/no/nav/k9punsj/journalpost/JournalpostInfoRoutes.kt
@@ -2,12 +2,11 @@ package no.nav.k9punsj.journalpost
 
 import kotlinx.coroutines.reactive.awaitFirst
 import no.nav.k9.sak.kontrakt.dokument.JournalpostIdDto
-import no.nav.k9punsj.K9SakRoutes
 import no.nav.k9punsj.RequestContext
+import no.nav.k9punsj.SaksbehandlerRoutes
 import no.nav.k9punsj.journalpost.dto.JournalpostIderDto
 import no.nav.k9punsj.journalpost.dto.SøkUferdigJournalposter
 import no.nav.k9punsj.tilgangskontroll.AuthenticationHandler
-import org.slf4j.LoggerFactory
 import org.springframework.context.annotation.Bean
 import org.springframework.context.annotation.Configuration
 import org.springframework.web.reactive.function.BodyExtractors
@@ -28,7 +27,7 @@ internal class JournalpostInfoRoutes(
     }
 
     @Bean
-    fun JournalpostInfoRoutes() = K9SakRoutes(authenticationHandler) {
+    fun JournalpostInfoRoutes() = SaksbehandlerRoutes(authenticationHandler) {
         POST("/api${Urls.HentÅpneJournalposterPost}") { request ->
             RequestContext(coroutineContext, request) {
                 val dto = request.søkUferdigJournalposter()

diff --git a/src/main/kotlin/no/nav/k9punsj/tilgangskontroll/AccessTokenClients.kt b/src/main/kotlin/no/nav/k9punsj/tilgangskontroll/AccessTokenClients.kt
@@ -16,10 +16,6 @@ internal class AccessTokenClients(
     @Value("\${no.nav.security.jwt.client.azure.client_id}") azureClientId: String,
     @Value("\${no.nav.security.jwt.client.azure.jwk}") azureJwk: String,
     @Value("\${no.nav.security.jwt.client.azure.token_endpoint}") azureTokenEndpoint: URI,
-
-    @Value("\${systembruker.username}") clientId: String,
-    @Value("\${systembruker.password}") clientSecret: String,
-    @Value("\${no.nav.security.sts.client.token_endpoint}") stsTokenEndpoint: URI
 ) {
 
     private companion object {
@@ -39,13 +35,6 @@ internal class AccessTokenClients(
         throw IllegalArgumentException("Azure JWK på feil format.")
     }
 
-    private val naisStsClient = ClientSecretAccessTokenClient(
-        clientId = clientId,
-        clientSecret = clientSecret,
-        tokenEndpoint = stsTokenEndpoint,
-        authenticationMode = ClientSecretAccessTokenClient.AuthenticationMode.BASIC
-    )
-
     private val signedJwtAzureAccessTokenClient = SignedJwtAccessTokenClient(
         clientId = azureClientId,
         tokenEndpoint = azureTokenEndpoint,
@@ -56,10 +45,6 @@ internal class AccessTokenClients(
     @Bean
     @Qualifier("azure")
     internal fun azureAccessTokenClient(): AccessTokenClient = signedJwtAzureAccessTokenClient
-
-    @Bean
-    @Qualifier("sts")
-    internal fun stsAccessTokenClient(): AccessTokenClient = naisStsClient
 }
 
 private val logger: Logger = LoggerFactory.getLogger("no.nav.k9.AccessTokenHelsesjekk")

diff --git a/src/main/kotlin/no/nav/k9punsj/tilgangskontroll/oidc/OidcRoutes.kt b/src/main/kotlin/no/nav/k9punsj/tilgangskontroll/oidc/OidcRoutes.kt
@@ -18,7 +18,7 @@ import kotlin.coroutines.coroutineContext
 @Configuration
 internal class OidcRoutes(
     private val authenticationHandler: AuthenticationHandler,
-    @Qualifier("sts") accessTokenClient: AccessTokenClient
+    @Qualifier("azure") accessTokenClient: AccessTokenClient
 ) {
     private val cachedAccessTokenClient = CachedAccessTokenClient(accessTokenClient)
     private val scope: Set<String> = setOf("openid")

diff --git a/src/main/resources/application.yml b/src/main/resources/application.yml
@@ -17,16 +17,6 @@ management:
         include: info, health, prometheus
       base-path: /internal/actuator
 
-systembruker:
-  username: ${SYSTEMBRUKER_USERNAME}
-  password: ${SYSTEMBRUKER_PASSWORD}
-
-javax:
-  net:
-    ssl:
-      trustStore: ${NAV_TRUSTSTORE_PATH}
-      trustStorePassword: ${NAV_TRUSTSTORE_PASSWORD}
-
 springdoc:
   api-docs:
     path: /internal/api-docs
@@ -67,9 +57,6 @@ no.nav:
     scope: ${GOSYS_BASE_SCOPE}
 
   security:
-    sts:
-      client:
-        token_endpoint: ${NAIS_STS_TOKEN_ENDPOINT}
     jwt:
       expirythreshold: 1
       client:
@@ -82,10 +69,6 @@ no.nav:
           discoveryurl: ${AZURE_APP_WELL_KNOWN_URL}
           accepted_audience: ${AZURE_APP_CLIENT_ID}
           proxyUrl: ${HTTP_PROXY:}
-        naissts:
-          discoveryurl: ${APP_NAISSTS_discovery_url}
-          accepted_audience: ${APP_NAISSTS_aud}
-          proxyUrl:
 
   db:
     url: ${DEFAULTDS_URL}

diff --git a/src/test/kotlin/no/nav/k9punsj/rest/server/PunsjJournalpostInfoRoutesTest.kt b/src/test/kotlin/no/nav/k9punsj/rest/server/PunsjJournalpostInfoRoutesTest.kt
@@ -9,7 +9,6 @@ import no.nav.k9punsj.felles.JsonB
 import no.nav.k9punsj.journalpost.dto.SøkUferdigJournalposter
 import no.nav.k9punsj.utils.objectMapper
 import no.nav.k9punsj.util.WebClientUtils.awaitStatuscode
-import no.nav.k9punsj.wiremock.k9SakToken
 import no.nav.k9punsj.wiremock.saksbehandlerAccessToken
 import org.junit.jupiter.api.Assertions.assertEquals
 import org.junit.jupiter.api.Test
@@ -25,7 +24,7 @@ class PunsjJournalpostInfoRoutesTest : AbstractContainerBaseTest() {
 
     @Test
     fun `Får en liste med journalpostIder som ikke er ferdig behandlet av punsj post`(): Unit = runBlocking {
-        val k9sakToken = "Bearer ${no.nav.helse.dusseldorf.testsupport.jws.NaisSts.k9SakToken()}"
+        val k9sakToken = "Bearer ${no.nav.helse.dusseldorf.testsupport.jws.Azure.V2_0.saksbehandlerAccessToken()}"
 
         webTestClient.post().uri {
             it.pathSegment("api", "journalpost", "uferdig").build()
@@ -38,7 +37,7 @@ class PunsjJournalpostInfoRoutesTest : AbstractContainerBaseTest() {
 
     @Test
     fun `Http 500 om vi sender feil body`(): Unit = runBlocking {
-        val k9sakToken = "Bearer ${no.nav.helse.dusseldorf.testsupport.jws.NaisSts.k9SakToken()}"
+        val k9sakToken = "Bearer ${no.nav.helse.dusseldorf.testsupport.jws.Azure.V2_0.saksbehandlerAccessToken()}"
 
         webTestClient.post().uri {
             it.pathSegment("api", "journalpost", "uferdig").build()

diff --git a/src/test/kotlin/no/nav/k9punsj/wiremock/AccessTokenMocks.kt b/src/test/kotlin/no/nav/k9punsj/wiremock/AccessTokenMocks.kt
@@ -3,14 +3,10 @@ package no.nav.k9punsj.wiremock
 import com.github.tomakehurst.wiremock.WireMockServer
 import com.github.tomakehurst.wiremock.client.WireMock
 import no.nav.helse.dusseldorf.testsupport.jws.Azure
-import no.nav.helse.dusseldorf.testsupport.jws.NaisSts
 
 private const val path = "/access-token-mock"
 fun WireMockServer.stubAccessTokens() = stubSaksbehandlerAccessToken()
     .stubNavHeader()
-    .stubNaisStsTokenResponseGet()
-    .stubNaisStsTokenResponsePost()
-    .stubNaisStsTokenResponsePut()
 
 fun WireMockServer.stubSaksbehandlerAccessToken(): WireMockServer {
 
@@ -31,68 +27,6 @@ fun WireMockServer.stubSaksbehandlerAccessToken(): WireMockServer {
     return this
 }
 
-fun WireMockServer.stubNaisStsTokenResponseGet(): WireMockServer {
-
-    val jwt = Azure.V2_0.saksbehandlerAccessToken()
-
-    WireMock.stubFor(
-        WireMock.get(WireMock.urlPathEqualTo("/nais-sts/token")).willReturn(
-            WireMock.aResponse()
-                .withHeader("Content-Type", "application/json")
-                .withBody("""
-                                {
-                                    "token_type": "Bearer",
-                                    "access_token": "$jwt"
-                                }
-                            """.trimIndent())
-                .withStatus(200)
-        )
-    )
-    return this
-}
-
-fun WireMockServer.stubNaisStsTokenResponsePost(): WireMockServer {
-
-    val jwt = Azure.V2_0.saksbehandlerAccessToken()
-
-    WireMock.stubFor(
-        WireMock.post(WireMock.urlPathEqualTo("/nais-sts/token")).willReturn(
-            WireMock.aResponse()
-                .withHeader("Content-Type", "application/json")
-                .withBody("""
-                                {
-                                    "token_type": "Bearer",
-                                    "access_token": "$jwt"
-                                }
-                            """.trimIndent())
-                .withStatus(200)
-        )
-    )
-    return this
-}
-
-fun WireMockServer.stubNaisStsTokenResponsePut(): WireMockServer {
-
-    val jwt = Azure.V2_0.saksbehandlerAccessToken()
-
-    WireMock.stubFor(
-        WireMock.put(WireMock.urlPathEqualTo("/nais-sts/token")).willReturn(
-            WireMock.aResponse()
-                .withHeader("Content-Type", "application/json")
-                .withBody("""
-                                {   
-                                    "token_type": "Bearer",
-                                    "access_token": "$jwt"
-                                }
-                            """.trimIndent())
-                .withStatus(200)
-        )
-    )
-
-    return this
-}
-
-
 fun WireMockServer.stubNavHeader(): WireMockServer {
 
     val jwt = Azure.V2_0.navHeader()
@@ -124,13 +58,3 @@ fun Azure.V2_0.navHeader() = generateJwt(
         clientId = "nav",
         audience = "k9-punsj"
 )
-
-fun NaisSts.k9SakToken() = generateJwt(
-    application = "srvk9sak",
-    overridingClaims = mapOf(
-        "sub" to "srvk9sak",
-        "aud" to "srvk9sak"
-    )
-)
-
-