Skip to content

Commit

Permalink
Ett lokalt cluster og støtte for kryss-cluster-ingress (#1265)
Browse files Browse the repository at this point in the history
  • Loading branch information
@jolarsen
jolarsen authored Mar 15, 2023
1 parent 3bb1cf4 commit b94667b
Show file tree
Hide file tree
Showing 4 changed files with 66 additions and 32 deletions.
20 changes: 5 additions & 15 deletions felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/PepImpl.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,6 @@
import javax.enterprise.inject.Default;
import javax.inject.Inject;

import no.nav.foreldrepenger.konfig.Cluster;
import no.nav.foreldrepenger.konfig.Environment;
import no.nav.foreldrepenger.konfig.KonfigVerdi;
import no.nav.vedtak.sikkerhet.abac.beskyttet.AvailabilityType;
Expand All @@ -33,7 +32,6 @@ public class PepImpl implements Pep {
private TokenProvider tokenProvider;
private String preAuthorized;
private String residentClusterNamespace;
private String alternativeClusterNamespace;

public PepImpl() {
}
Expand All @@ -48,13 +46,7 @@ public PepImpl(PdpKlient pdpKlient,
this.tokenProvider = tokenProvider;
this.pipUsers = konfigurePipUsers(pipUsers);
this.preAuthorized = ENV.getProperty(AzureProperty.AZURE_APP_PRE_AUTHORIZED_APPS.name()); // eg json array av objekt("name", "clientId")
if (ENV.isLocal()) {
this.residentClusterNamespace = Cluster.VTP.clusterName() + ":" + ENV.namespace();
this.alternativeClusterNamespace = Cluster.LOCAL.clusterName() + ":" + ENV.namespace();
} else {
this.residentClusterNamespace = ENV.clusterName() + ":" + ENV.namespace();
this.alternativeClusterNamespace = this.residentClusterNamespace;
}
this.residentClusterNamespace = ENV.clusterName() + ":" + ENV.namespace();
}

protected Set<String> konfigurePipUsers(String pipUsers) {
Expand All @@ -72,8 +64,7 @@ public Tilgangsbeslutning vurderTilgang(BeskyttetRessursAttributter beskyttetRes
return vurderTilgangTilPipTjeneste(beskyttetRessursAttributter, appRessurser);
}
if (kanForetaLokalTilgangsbeslutning(beskyttetRessursAttributter)) {
return new Tilgangsbeslutning(harTilgang(beskyttetRessursAttributter) ? GODKJENT : AVSLÅTT_ANNEN_ÅRSAK, beskyttetRessursAttributter,
appRessurser);
return new Tilgangsbeslutning(harTilgang(beskyttetRessursAttributter) ? GODKJENT : AVSLÅTT_ANNEN_ÅRSAK, beskyttetRessursAttributter, appRessurser);
}
return pdpKlient.forespørTilgang(beskyttetRessursAttributter, builder.abacDomene(), appRessurser);
}
Expand All @@ -84,17 +75,16 @@ public Tilgangsbeslutning vurderTilgang(BeskyttetRessursAttributter beskyttetRes
private boolean kanForetaLokalTilgangsbeslutning(BeskyttetRessursAttributter attributter) {
var identType = attributter.getToken().getIdentType();
var consumer = attributter.getToken().getBrukerId();
return OpenIDProvider.AZUREAD.equals(attributter.getToken().getOpenIDProvider()) && IdentType.Systemressurs.equals(identType)
&& consumer != null && preAuthorized != null;
return OpenIDProvider.AZUREAD.equals(attributter.getToken().getOpenIDProvider())
&& IdentType.Systemressurs.equals(identType) && consumer != null && preAuthorized != null;
}

private boolean harTilgang(BeskyttetRessursAttributter attributter) {
var consumer = attributter.getToken().getBrukerId();
if (consumer == null || !preAuthorized.contains(consumer)) {
return false;
}
if (consumer.startsWith(residentClusterNamespace) || consumer.startsWith(alternativeClusterNamespace) || builder.internAzureConsumer(
consumer)) {
if (consumer.startsWith(residentClusterNamespace) || builder.internAzureConsumer(consumer)) {
return true;
}
return AvailabilityType.ALL.equals(attributter.getAvailabilityType());
Expand Down
2 changes: 1 addition & 1 deletion felles/abac/src/test/java/no/nav/vedtak/sikkerhet/abac/PepImplTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@
@ExtendWith(MockitoExtension.class)
class PepImplTest {

private static final String LOCAL_APP = "local:" + Namespace.foreldrepenger().getName() + ":application";
private static final String LOCAL_APP = "vtp:" + Namespace.foreldrepenger().getName() + ":application";

private PepImpl pep;
@Mock
Expand Down
72 changes: 58 additions & 14 deletions ...rasjon/rest-klient/src/main/java/no/nav/vedtak/felles/integrasjon/rest/FpApplication.java
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
package no.nav.vedtak.felles.integrasjon.rest;

import java.util.Map;
import java.util.Optional;
import java.util.Set;

import no.nav.foreldrepenger.konfig.Cluster;
import no.nav.foreldrepenger.konfig.Environment;
Expand All @@ -19,6 +21,7 @@ public enum FpApplication {
FPTILBAKE,
FPDOKGEN,
FPWSPROXY,
FPOVERSIKT,
NONFP;

private static final Environment ENV = Environment.current();
Expand All @@ -29,38 +32,79 @@ public enum FpApplication {
/*
* Utelatt fpabonnent:8065
*/
private static final Map<FpApplication, Integer> LOCAL_PORTS = Map.ofEntries(Map.entry(FpApplication.FPSAK, 8080),
Map.entry(FpApplication.FPABAKUS, 8015), Map.entry(FpApplication.FPFORMIDLING, 8010), Map.entry(FpApplication.FPRISK, 8075),
Map.entry(FpApplication.FPOPPDRAG, 8070), Map.entry(FpApplication.FPTILBAKE, 8030), Map.entry(FpApplication.FPFORDEL, 8090),
Map.entry(FpApplication.FPDOKGEN, 8291), Map.entry(FpApplication.FPWSPROXY, 8292), Map.entry(FpApplication.FPLOS, 8071),
Map.entry(FpApplication.FPINFO, 8040));
private static final Map<FpApplication, Integer> LOCAL_PORTS = Map.ofEntries(
Map.entry(FpApplication.FPSAK, 8080),
Map.entry(FpApplication.FPABAKUS, 8015),
Map.entry(FpApplication.FPFORMIDLING, 8010),
Map.entry(FpApplication.FPRISK, 8075),
Map.entry(FpApplication.FPOPPDRAG, 8070),
Map.entry(FpApplication.FPTILBAKE, 8030),
Map.entry(FpApplication.FPFORDEL, 8090),
Map.entry(FpApplication.FPDOKGEN, 8291),
Map.entry(FpApplication.FPWSPROXY, 8292),
Map.entry(FpApplication.FPLOS, 8071),
Map.entry(FpApplication.FPINFO, 8040),
Map.entry(FpApplication.FPOVERSIKT, 8020)
);

private static final Set<FpApplication> GCP_APPS = Set.of(FPOVERSIKT);

public boolean specified() {
return !NONFP.equals(this);
}

public static String contextPathFor(FpApplication application) {
if (CLUSTER.isLocal() && ENV.getProperty(application.contextPathProperty()) != null) {
return ENV.getProperty(application.contextPathProperty());
if (application == null || NONFP.equals(application)) {
throw new IllegalArgumentException("Utviklerfeil: angitt app er ikke i fp-familien");
}
var appname = application.name().toLowerCase();
// Sjekk om override for kjøring i IDE <app>.override.url=http://localhost:localport/<appname> (evt med port og annen path)
var override = contextPathProperty(application);
if (CLUSTER.isLocal() && override!= null) {
return override;
}
// Sjekk om kryss-lokasjon - da trengs ingress og litt ulike varianter
var clusterForApplication = getCluster(application);
if (!CLUSTER.equals(clusterForApplication)) {
var prefix = "https://" + appname;
if (ENV.isFss()) {
return prefix + (ENV.isProd() ? "" : ".dev") + ".intern.nav.no/" + appname;
} else if (ENV.isGcp()) {
return prefix + clusterForApplication.clusterName() + "-pub.nais.io/" + appname;
} else {
throw new IllegalStateException("Utviklerfeil: Skal ikke komme hit");
}
}
var prefix = "http://" + application.name().toLowerCase();
// Samme lokasjon og cluster - bruk service discovery
var prefix = "http://" + appname;
return switch (CLUSTER) {
case DEV_FSS, PROD_FSS -> prefix + "/" + application.name().toLowerCase();
case VTP -> prefix + ":8080/" + application.name().toLowerCase();
case LOCAL -> "http://localhost:" + LOCAL_PORTS.get(application) + "/" + application.name().toLowerCase();
case DEV_FSS, PROD_FSS -> prefix + "/" + appname;
case VTP -> prefix + ":8080/" + appname;
default -> throw new IllegalArgumentException("Ikke implementert for Cluster " + CLUSTER.clusterName());
};
}

public static String scopesFor(FpApplication application) {
if (CLUSTER.isLocal()) {
return "api://" + Cluster.VTP.clusterName() + "." + FORELDREPENGER.getName() + "." + application.name().toLowerCase() + "/.default";
return "api://" + Cluster.VTP.clusterName() + "." + FORELDREPENGER.getName() + "." + Cluster.VTP.clusterName() + "/.default";
}
return "api://" + CLUSTER.clusterName() + "." + FORELDREPENGER.getName() + "." + application.name().toLowerCase() + "/.default";
}

private String contextPathProperty() {
return this.name() + ".override.url";
private static String contextPathProperty(FpApplication application) {
return Optional.ofNullable(ENV.getProperty(application.name().toLowerCase() + ".override.url"))
.map(s -> s.replace("localhost:localport", "localhost:" + LOCAL_PORTS.get(application)))
.orElse(null);
}

private static Cluster getCluster(FpApplication application) {
if (CLUSTER.isProd()) {
return GCP_APPS.contains(application) ? Cluster.PROD_GCP : Cluster.PROD_FSS;
} else if (CLUSTER.isDev()) {
return GCP_APPS.contains(application) ? Cluster.DEV_GCP : Cluster.DEV_FSS;
} else {
return Cluster.VTP;
}
}

}
4 changes: 2 additions & 2 deletions pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
<parent>
<groupId>no.nav.foreldrepenger.felles</groupId>
<artifactId>fp-bom</artifactId>
<version>0.4.5</version>
<version>0.4.6</version>
</parent>

<artifactId>felles-root</artifactId>
Expand All @@ -31,7 +31,7 @@
<dependency>
<groupId>no.nav.foreldrepenger.felles</groupId>
<artifactId>fp-bom</artifactId>
<version>0.4.5</version>
<version>0.4.6</version>
<scope>import</scope>
<type>pom</type>
</dependency>
Expand Down

0 comments on commit b94667b

Please sign in to comment.