TFP-5195: Oppdaterer azure validator med NAVident claim. (#1177)

* TFP-5195: Oppdaterer azure validator med NAVident claim. * Bump fp-bom til 0.3.5
navikt · Sep 12, 2022 · 0b92505 · 0b92505
1 parent 893db70
commit 0b92505
Show file tree

Hide file tree

Showing 5 changed files with 11 additions and 9 deletions.
diff --git a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/Token.java b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/Token.java
@@ -13,7 +13,6 @@ public class Token {
 
     public enum TokenType {
         OIDC,
-        AZURE_JWT,
         TOKENX,
         SAML;
     }
@@ -42,16 +41,15 @@ public TokenType getTokenType() {
 
     private static TokenType utledTokenType(OpenIDToken token) {
         return switch (token.provider()) {
-            case AZUREAD -> TokenType.AZURE_JWT;
-            case ISSO, STS -> TokenType.OIDC;
+            case ISSO, STS, AZUREAD -> TokenType.OIDC;
             case TOKENX -> TokenType.TOKENX;
             case IDPORTEN -> throw new IllegalStateException("IdPorten token støttes ikke.");
         };
     }
 
     public String getTokenBody() {
         return switch (tokenType) {
-            case OIDC, TOKENX, AZURE_JWT -> tokenPayloadBase64(openIDToken);
+            case OIDC, TOKENX -> tokenPayloadBase64(openIDToken);
             case SAML -> Base64.getEncoder().encodeToString(token.getBytes(StandardCharsets.UTF_8));
         };
     }

diff --git a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/pdp/XacmlRequestMapper.java b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/pdp/XacmlRequestMapper.java
@@ -71,7 +71,6 @@ private static List<XacmlRequest.AttributeAssignment> getTokenEnvironmentAttrs(f
             case OIDC -> NavFellesAttributter.ENVIRONMENT_FELLES_OIDC_TOKEN_BODY;
             case TOKENX -> NavFellesAttributter.ENVIRONMENT_FELLES_TOKENX_TOKEN_BODY;
             case SAML -> NavFellesAttributter.ENVIRONMENT_FELLES_SAML_TOKEN;
-            case AZURE_JWT -> NavFellesAttributter.ENVIRONMENT_FELLES_AZURE_JWT_TOKEN_BODY;
         };
         var assignement = new XacmlRequest.AttributeAssignment(envTokenBodyAttributt, beskyttetRessursAttributter.getToken().getTokenBody());
         return List.of(assignement);

diff --git a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/pdp/xacml/NavFellesAttributter.java b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/pdp/xacml/NavFellesAttributter.java
@@ -14,8 +14,6 @@ public class NavFellesAttributter {
     public static final String ENVIRONMENT_FELLES_SAML_TOKEN = "no.nav.abac.attributter.environment.felles.saml_token";
     public static final String ENVIRONMENT_FELLES_OIDC_TOKEN_BODY = "no.nav.abac.attributter.environment.felles.oidc_token_body";
 
-    public static final String ENVIRONMENT_FELLES_AZURE_JWT_TOKEN_BODY = "no.nav.abac.attributter.environment.felles.azure_jwt_token_body";
-
     public static final String ENVIRONMENT_FELLES_PEP_ID = "no.nav.abac.attributter.environment.felles.pep_id";
 
     public static final String RESOURCE_FELLES_RESOURCE_TYPE = "no.nav.abac.attributter.resource.felles.resource_type";

diff --git a/felles/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/oidc/OidcTokenValidator.java b/felles/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/oidc/OidcTokenValidator.java
@@ -96,7 +96,9 @@ private OidcTokenValidatorResult validate(TokenString tokenHolder, int allowedCl
                 return OidcTokenValidatorResult.invalid(error);
             }
             String subject = claims.getSubject();
-            if (OpenIDProvider.TOKENX.equals(provider)) {
+            if (OpenIDProvider.AZUREAD.equals(provider)) {
+                return validateAzure(claims, subject);
+            } else if (OpenIDProvider.TOKENX.equals(provider)) {
                 return validateTokenX(claims, subject);
             } else {
                 return OidcTokenValidatorResult.valid(subject, claims.getExpirationTime().getValue());
@@ -122,6 +124,11 @@ private String validateClaims(JwtClaims claims) throws MalformedClaimException {
         return null;
     }
 
+    private OidcTokenValidatorResult validateAzure(JwtClaims claims, String subject) throws MalformedClaimException {
+        var brukSubject = Optional.ofNullable(claims.getStringClaimValue("NAVident")).orElse(subject);
+        return OidcTokenValidatorResult.valid(brukSubject, claims.getExpirationTime().getValue());
+    }
+
     private OidcTokenValidatorResult validateTokenX(JwtClaims claims, String subject) throws MalformedClaimException {
         var level4 = Optional.ofNullable(claims.getStringClaimValue("acr"))
             .filter(AuthenticationLevelCredential.AUTHENTICATION_LEVEL_ID_PORTEN::equals).isPresent();

diff --git a/pom.xml b/pom.xml
@@ -7,7 +7,7 @@
     <parent>
         <groupId>no.nav.foreldrepenger.felles</groupId>
         <artifactId>fp-bom</artifactId>
-        <version>0.3.4</version>
+        <version>0.3.5</version>
     </parent>
 
     <artifactId>felles-root</artifactId>