From cf5b47cef842b23d89d08d54ae47d3927b98fe3e Mon Sep 17 00:00:00 2001 From: Jens-Otto Larsen Date: Mon, 13 Mar 2023 19:28:53 +0100 Subject: [PATCH] =?UTF-8?q?Ett=20lokalt=20cluster=20og=20st=C3=B8tte=20for?= =?UTF-8?q?=20kryss-cluster-ingress?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../no/nav/vedtak/sikkerhet/abac/PepImpl.java | 20 ++---- .../vedtak/sikkerhet/abac/PepImplTest.java | 2 +- .../integrasjon/rest/FpApplication.java | 72 +++++++++++++++---- pom.xml | 4 +- 4 files changed, 66 insertions(+), 32 deletions(-) diff --git a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/PepImpl.java b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/PepImpl.java index d69a375d0..860fbdfcf 100644 --- a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/PepImpl.java +++ b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/PepImpl.java @@ -9,7 +9,6 @@ import javax.enterprise.inject.Default; import javax.inject.Inject; -import no.nav.foreldrepenger.konfig.Cluster; import no.nav.foreldrepenger.konfig.Environment; import no.nav.foreldrepenger.konfig.KonfigVerdi; import no.nav.vedtak.sikkerhet.abac.beskyttet.AvailabilityType; @@ -33,7 +32,6 @@ public class PepImpl implements Pep { private TokenProvider tokenProvider; private String preAuthorized; private String residentClusterNamespace; - private String alternativeClusterNamespace; public PepImpl() { } @@ -48,13 +46,7 @@ public PepImpl(PdpKlient pdpKlient, this.tokenProvider = tokenProvider; this.pipUsers = konfigurePipUsers(pipUsers); this.preAuthorized = ENV.getProperty(AzureProperty.AZURE_APP_PRE_AUTHORIZED_APPS.name()); // eg json array av objekt("name", "clientId") - if (ENV.isLocal()) { - this.residentClusterNamespace = Cluster.VTP.clusterName() + ":" + ENV.namespace(); - this.alternativeClusterNamespace = Cluster.LOCAL.clusterName() + ":" + ENV.namespace(); - } else { - this.residentClusterNamespace = ENV.clusterName() + ":" + ENV.namespace(); - this.alternativeClusterNamespace = this.residentClusterNamespace; - } + this.residentClusterNamespace = ENV.clusterName() + ":" + ENV.namespace(); } protected Set konfigurePipUsers(String pipUsers) { @@ -72,8 +64,7 @@ public Tilgangsbeslutning vurderTilgang(BeskyttetRessursAttributter beskyttetRes return vurderTilgangTilPipTjeneste(beskyttetRessursAttributter, appRessurser); } if (kanForetaLokalTilgangsbeslutning(beskyttetRessursAttributter)) { - return new Tilgangsbeslutning(harTilgang(beskyttetRessursAttributter) ? GODKJENT : AVSLÅTT_ANNEN_ÅRSAK, beskyttetRessursAttributter, - appRessurser); + return new Tilgangsbeslutning(harTilgang(beskyttetRessursAttributter) ? GODKJENT : AVSLÅTT_ANNEN_ÅRSAK, beskyttetRessursAttributter, appRessurser); } return pdpKlient.forespørTilgang(beskyttetRessursAttributter, builder.abacDomene(), appRessurser); } @@ -84,8 +75,8 @@ public Tilgangsbeslutning vurderTilgang(BeskyttetRessursAttributter beskyttetRes private boolean kanForetaLokalTilgangsbeslutning(BeskyttetRessursAttributter attributter) { var identType = attributter.getToken().getIdentType(); var consumer = attributter.getToken().getBrukerId(); - return OpenIDProvider.AZUREAD.equals(attributter.getToken().getOpenIDProvider()) && IdentType.Systemressurs.equals(identType) - && consumer != null && preAuthorized != null; + return OpenIDProvider.AZUREAD.equals(attributter.getToken().getOpenIDProvider()) + && IdentType.Systemressurs.equals(identType) && consumer != null && preAuthorized != null; } private boolean harTilgang(BeskyttetRessursAttributter attributter) { @@ -93,8 +84,7 @@ private boolean harTilgang(BeskyttetRessursAttributter attributter) { if (consumer == null || !preAuthorized.contains(consumer)) { return false; } - if (consumer.startsWith(residentClusterNamespace) || consumer.startsWith(alternativeClusterNamespace) || builder.internAzureConsumer( - consumer)) { + if (consumer.startsWith(residentClusterNamespace) || builder.internAzureConsumer(consumer)) { return true; } return AvailabilityType.ALL.equals(attributter.getAvailabilityType()); diff --git a/felles/abac/src/test/java/no/nav/vedtak/sikkerhet/abac/PepImplTest.java b/felles/abac/src/test/java/no/nav/vedtak/sikkerhet/abac/PepImplTest.java index b27d667f9..dde4aa904 100644 --- a/felles/abac/src/test/java/no/nav/vedtak/sikkerhet/abac/PepImplTest.java +++ b/felles/abac/src/test/java/no/nav/vedtak/sikkerhet/abac/PepImplTest.java @@ -34,7 +34,7 @@ @ExtendWith(MockitoExtension.class) class PepImplTest { - private static final String LOCAL_APP = "local:" + Namespace.foreldrepenger().getName() + ":application"; + private static final String LOCAL_APP = "vtp:" + Namespace.foreldrepenger().getName() + ":application"; private PepImpl pep; @Mock diff --git a/integrasjon/rest-klient/src/main/java/no/nav/vedtak/felles/integrasjon/rest/FpApplication.java b/integrasjon/rest-klient/src/main/java/no/nav/vedtak/felles/integrasjon/rest/FpApplication.java index 8ac2d9af7..ffb180775 100644 --- a/integrasjon/rest-klient/src/main/java/no/nav/vedtak/felles/integrasjon/rest/FpApplication.java +++ b/integrasjon/rest-klient/src/main/java/no/nav/vedtak/felles/integrasjon/rest/FpApplication.java @@ -1,6 +1,8 @@ package no.nav.vedtak.felles.integrasjon.rest; import java.util.Map; +import java.util.Optional; +import java.util.Set; import no.nav.foreldrepenger.konfig.Cluster; import no.nav.foreldrepenger.konfig.Environment; @@ -19,6 +21,7 @@ public enum FpApplication { FPTILBAKE, FPDOKGEN, FPWSPROXY, + FPOVERSIKT, NONFP; private static final Environment ENV = Environment.current(); @@ -29,38 +32,79 @@ public enum FpApplication { /* * Utelatt fpabonnent:8065 */ - private static final Map LOCAL_PORTS = Map.ofEntries(Map.entry(FpApplication.FPSAK, 8080), - Map.entry(FpApplication.FPABAKUS, 8015), Map.entry(FpApplication.FPFORMIDLING, 8010), Map.entry(FpApplication.FPRISK, 8075), - Map.entry(FpApplication.FPOPPDRAG, 8070), Map.entry(FpApplication.FPTILBAKE, 8030), Map.entry(FpApplication.FPFORDEL, 8090), - Map.entry(FpApplication.FPDOKGEN, 8291), Map.entry(FpApplication.FPWSPROXY, 8292), Map.entry(FpApplication.FPLOS, 8071), - Map.entry(FpApplication.FPINFO, 8040)); + private static final Map LOCAL_PORTS = Map.ofEntries( + Map.entry(FpApplication.FPSAK, 8080), + Map.entry(FpApplication.FPABAKUS, 8015), + Map.entry(FpApplication.FPFORMIDLING, 8010), + Map.entry(FpApplication.FPRISK, 8075), + Map.entry(FpApplication.FPOPPDRAG, 8070), + Map.entry(FpApplication.FPTILBAKE, 8030), + Map.entry(FpApplication.FPFORDEL, 8090), + Map.entry(FpApplication.FPDOKGEN, 8291), + Map.entry(FpApplication.FPWSPROXY, 8292), + Map.entry(FpApplication.FPLOS, 8071), + Map.entry(FpApplication.FPINFO, 8040), + Map.entry(FpApplication.FPOVERSIKT, 8020) + ); + + private static final Set GCP_APPS = Set.of(FPOVERSIKT); public boolean specified() { return !NONFP.equals(this); } public static String contextPathFor(FpApplication application) { - if (CLUSTER.isLocal() && ENV.getProperty(application.contextPathProperty()) != null) { - return ENV.getProperty(application.contextPathProperty()); + if (application == null || NONFP.equals(application)) { + throw new IllegalArgumentException("Utviklerfeil: angitt app er ikke i fp-familien"); + } + var appname = application.name().toLowerCase(); + // Sjekk om override for kjøring i IDE .override.url=http://localhost:localport/ (evt med port og annen path) + var override = contextPathProperty(application); + if (CLUSTER.isLocal() && override!= null) { + return override; + } + // Sjekk om kryss-lokasjon - da trengs ingress og litt ulike varianter + var clusterForApplication = getCluster(application); + if (!CLUSTER.equals(clusterForApplication)) { + var prefix = "https://" + appname; + if (ENV.isFss()) { + return prefix + (ENV.isProd() ? "" : ".dev") + ".intern.nav.no/" + appname; + } else if (ENV.isGcp()) { + return prefix + clusterForApplication.clusterName() + "-pub.nais.io/" + appname; + } else { + throw new IllegalStateException("Utviklerfeil: Skal ikke komme hit"); + } } - var prefix = "http://" + application.name().toLowerCase(); + // Samme lokasjon og cluster - bruk service discovery + var prefix = "http://" + appname; return switch (CLUSTER) { - case DEV_FSS, PROD_FSS -> prefix + "/" + application.name().toLowerCase(); - case VTP -> prefix + ":8080/" + application.name().toLowerCase(); - case LOCAL -> "http://localhost:" + LOCAL_PORTS.get(application) + "/" + application.name().toLowerCase(); + case DEV_FSS, PROD_FSS -> prefix + "/" + appname; + case VTP -> prefix + ":8080/" + appname; default -> throw new IllegalArgumentException("Ikke implementert for Cluster " + CLUSTER.clusterName()); }; } public static String scopesFor(FpApplication application) { if (CLUSTER.isLocal()) { - return "api://" + Cluster.VTP.clusterName() + "." + FORELDREPENGER.getName() + "." + application.name().toLowerCase() + "/.default"; + return "api://" + Cluster.VTP.clusterName() + "." + FORELDREPENGER.getName() + "." + Cluster.VTP.clusterName() + "/.default"; } return "api://" + CLUSTER.clusterName() + "." + FORELDREPENGER.getName() + "." + application.name().toLowerCase() + "/.default"; } - private String contextPathProperty() { - return this.name() + ".override.url"; + private static String contextPathProperty(FpApplication application) { + return Optional.ofNullable(ENV.getProperty(application.name().toLowerCase() + ".override.url")) + .map(s -> s.replace("localhost:localport", "localhost:" + LOCAL_PORTS.get(application))) + .orElse(null); + } + + private static Cluster getCluster(FpApplication application) { + if (CLUSTER.isProd()) { + return GCP_APPS.contains(application) ? Cluster.PROD_GCP : Cluster.PROD_FSS; + } else if (CLUSTER.isDev()) { + return GCP_APPS.contains(application) ? Cluster.DEV_GCP : Cluster.DEV_FSS; + } else { + return Cluster.VTP; + } } } diff --git a/pom.xml b/pom.xml index 8a1b7e516..961c8bf44 100644 --- a/pom.xml +++ b/pom.xml @@ -7,7 +7,7 @@ no.nav.foreldrepenger.felles fp-bom - 0.4.5 + 0.4.6 felles-root @@ -31,7 +31,7 @@ no.nav.foreldrepenger.felles fp-bom - 0.4.5 + 0.4.6 import pom