From 3ae21befb69796b9f849440c376682bb7a8a6be9 Mon Sep 17 00:00:00 2001 From: "Michal J. Sladek" Date: Mon, 19 Apr 2021 16:16:21 +0200 Subject: [PATCH] =?UTF-8?q?Flytter=20Jackson=20mapper=20til=20felles-mappe?= =?UTF-8?q?r,=20abac=20til=20felles-abac,=20ny=20im=E2=80=A6=20(#761)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Flytter Jackson mapper til felles-mapper, abac til felles-abac, ny implementasjon av pdp med jersey. --- .github/workflows/release.yml | 2 +- felles/abac/pom.xml | 70 +++++ .../sikkerhet/abac/AbacDto.java | 7 + .../sikkerhet/abac/AbacDtoSupplier.java} | 6 +- .../sikkerhet/abac/BeskyttetRessurs.java | 31 +- .../abac/BeskyttetRessursInterceptor.java | 135 +++++++++ .../sikkerhet/abac/PdpRequestBuilder.java | 8 + .../abac/auditlog}/AbacAuditlogger.java | 75 +++-- .../domene/AbacAttributtN\303\270kkel.java" | 30 ++ .../abac/domene/AbacAttributtType.java | 5 + .../abac/domene/AbacBehandlingStatus.java | 17 ++ .../abac/domene}/AbacDataAttributter.java | 9 +- .../abac/domene/AbacFagsakStatus.java | 16 + .../sikkerhet/abac/domene}/AbacResultat.java | 2 +- .../sikkerhet/abac/domene/ActionType.java} | 6 +- .../abac/domene/BeskyttRessursAttributer.java | 100 +++++++ .../sikkerhet/abac/domene/IdSubject.java | 41 +++ .../sikkerhet/abac/domene/IdToken.java | 40 +++ .../sikkerhet/abac/domene/ServiceType.java | 6 + .../domene/StandardAbacAttributtType.java | 36 +++ .../abac/domene}/Tilgangsbeslutning.java | 5 +- .../sikkerhet/abac/domene/TokenType.java | 7 + .../sikkerhet/abac/pdp/Pdp.java | 8 + .../sikkerhet/abac/pdp/PdpImpl.java | 107 +++++++ .../sikkerhet/abac/pdp/XacmlConsumer.java | 11 + .../abac/pdp/XacmlConsumerImpl.java} | 145 ++++++--- .../abac/pdp/XacmlRequestMapper.java | 189 ++++++++++++ .../sikkerhet/abac/pdp2/NyPdpImpl.java | 142 +++++++++ .../sikkerhet/abac/pdp2/NyXacmlConsumer.java | 10 + .../abac/pdp2/NyXacmlRequestMapper.java | 179 +++++++++++ .../abac/pdp2/XamclJerseyRestKlient.java | 64 ++++ .../sikkerhet/abac/pdp2/xacml/Advice.java | 7 + .../pdp2}/xacml/BiasedDecisionResponse.java | 4 +- .../sikkerhet/abac/pdp2}/xacml/Category.java | 4 +- .../sikkerhet/abac/pdp2/xacml}/Decision.java | 2 +- .../abac/pdp2}/xacml/Obligation.java | 2 +- .../abac/pdp2}/xacml/XacmlAttributeSet.java | 2 +- .../abac/pdp2/xacml/XacmlRequest.java | 92 ++++++ .../abac/pdp2}/xacml/XacmlRequestBuilder.java | 4 +- .../abac/pdp2/xacml/XacmlResponse.java | 137 +++++++++ .../pdp2}/xacml/XacmlResponseWrapper.java | 4 +- .../sikkerhet/abac/pep/PdpRequest.java | 232 +++++++++++++++ .../sikkerhet/abac/pep/Pep.java | 9 + .../sikkerhet/abac/pep/PepImpl.java | 126 ++++++++ .../abac/pep}/PepNektetTilgangException.java | 2 +- .../src/main/resources/META-INF/beans.xml | 6 + .../abac/BeskyttetRessursInterceptorTest.java | 219 ++++---------- .../sikkerhet/abac/pdp/PdpImplTest.java} | 154 +++++----- .../abac/pdp/XacmlConsumerImplTest.java} | 18 +- .../sikkerhet/abac/pdp2/NyPdpImplTest.java | 279 ++++++++++++++++++ .../abac/pdp2/XacmlRequestMapperTest.java | 226 ++++++++++++++ .../abac/pdp2/xacml/XacmlRequestTest.java | 41 +++ .../abac/pdp2/xacml/XacmlResponseTest.java | 29 ++ .../sikkerhet/abac/pep/PepImplTest.java | 102 +++++++ .../src/test/resources/META-INF/beans.xml | 6 + .../src/test/resources/application.properties | 1 + .../abac/src/test/resources/example-jwks.json | 12 + .../src/test/resources/example2-jwks.json | 20 ++ .../abac/src/test/resources/logback-test.xml | 22 ++ felles/abac/src/test/resources/request.json | 90 ++++++ felles/abac/src/test/resources/request1.json | 40 +++ .../src/test/resources/xacml3response.json | 64 ++++ .../test/resources/xacmlresponse-array.json | 33 +++ .../src/test/resources/xacmlresponse.json | 20 ++ .../xacmlresponse_1deny_1permit.json | 60 ++++ .../xacmlresponse_multiple_obligation.json | 37 +++ .../exception/FunksjonellException.java | 1 - .../exception/IntegrasjonException.java | 1 - .../exception/ManglerTilgangException.java | 1 - .../vedtak/exception/TekniskException.java | 1 - .../no/nav/vedtak/exception/VLException.java | 1 - .../main/java/no/nav/vedtak/package-info.java | 1 - .../no/nav/vedtak/log/audit/Auditlogger.java | 1 - felles/mapper/pom.xml | 34 +++ .../integrasjon/rest/DefaultJsonMapper.java | 3 +- felles/pom.xml | 17 ++ felles/sikkerhet/sikkerhet/pom.xml | 7 +- .../sikkerhet/abac/AbacAttributtSamling.java | 111 ------- .../sikkerhet/abac/AbacAttributtType.java | 9 - .../no/nav/vedtak/sikkerhet/abac/AbacDto.java | 5 - .../vedtak/sikkerhet/abac/AbacIdToken.java | 69 ----- .../sikkerhet/abac/AbacSporingslogg.java | 16 - .../vedtak/sikkerhet/abac/ActionUthenter.java | 65 ---- .../abac/BeskyttetRessursInterceptor.java | 173 ----------- .../abac/DefaultAbacSporingslogg.java | 225 -------------- .../sikkerhet/abac/JaasTokenProvider.java | 8 - .../abac/NavAbacCommonAttributter.java | 25 -- .../nav/vedtak/sikkerhet/abac/PdpKlient.java | 12 - .../nav/vedtak/sikkerhet/abac/PdpRequest.java | 62 ---- .../sikkerhet/abac/PdpRequestBuilder.java | 5 - .../no/nav/vedtak/sikkerhet/abac/Pep.java | 6 - .../no/nav/vedtak/sikkerhet/abac/PepImpl.java | 112 ------- .../abac/StandardAbacAttributtType.java | 62 ---- .../vedtak/sikkerhet/abac/TokenProvider.java | 19 -- .../nav/vedtak/sikkerhet/pdp/PdpConsumer.java | 8 - .../vedtak/sikkerhet/pdp/PdpKlientImpl.java | 145 --------- .../pdp/XacmlRequestBuilderTjeneste.java | 15 - .../sikkerhet/pdp/jaxrs/BasicAuthFilter.java | 37 --- .../vedtak/sikkerhet/pdp/xacml/Advice.java | 8 - .../sikkerhet/abac/AbacSporingsloggTest.java | 209 ------------- .../sikkerhet/abac/ActionUthenterTest.java | 57 ---- .../sikkerhet/abac/DummyRequestBuilder.java | 15 - .../vedtak/sikkerhet/abac/PdpRequestTest.java | 79 ----- .../vedtak/sikkerhet/abac/PepImplTest.java | 65 ---- .../pdp/XacmlRequestBuilderTjenesteImpl.java | 103 ------- .../sikkerhet/src/test/resources/request.json | 90 ++++++ .../src/test/resources/request1.json | 40 +++ .../src/test/resources/xacml3response.json | 24 +- .../test/resources/xacmlresponse-array.json | 12 +- .../src/test/resources/xacmlresponse.json | 20 +- .../xacmlresponse_1deny_1permit.json | 26 +- .../xacmlresponse_multiple_obligation.json | 24 +- felles/sikkerhet/testutilities/pom.xml | 2 +- .../sikkerhet/pdp/DummyRequestBuilder.java | 19 -- .../pdp/DummyXacmlRequestBuilderTjeneste.java | 20 -- felles/util/pom.xml | 9 +- .../rest/ArbeidsfordelingRestTest.java | 2 +- .../organisasjon/EregRestTest.java | 2 +- .../infotrygd/saker/v1/SerializationTest.java | 2 +- .../medl2/MedlemskapsunntakTest.java | 2 +- .../pdl/PdlDefaultErrorHandler.java | 2 +- .../integrasjon/pdl/TestJerseyPdlClient.java | 4 +- integrasjon/rest-klient/pom.xml | 4 + .../rest/AbstractOidcRestClient.java | 1 + .../rest/OAuth2AccessTokenClient.java | 1 + .../rest/StsAccessTokenClient.java | 1 + .../rest/jersey/AbstractJerseyRestClient.java | 4 +- .../felles/integrasjon/saf/SafTjeneste.java | 2 +- .../sak/v1/TestJerseySakClient.java | 4 +- pom.xml | 6 +- 130 files changed, 3505 insertions(+), 2226 deletions(-) create mode 100644 felles/abac/pom.xml create mode 100644 felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/AbacDto.java rename felles/{sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/TilpassetAbacAttributt.java => abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/AbacDtoSupplier.java} (69%) rename felles/{sikkerhet/sikkerhet/src/main/java/no/nav/vedtak => abac/src/main/java/no/nav/foreldrepenger}/sikkerhet/abac/BeskyttetRessurs.java (55%) create mode 100644 felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/BeskyttetRessursInterceptor.java create mode 100644 felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/PdpRequestBuilder.java rename felles/{sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac => abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/auditlog}/AbacAuditlogger.java (61%) create mode 100644 "felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/domene/AbacAttributtN\303\270kkel.java" create mode 100644 felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/domene/AbacAttributtType.java create mode 100644 felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/domene/AbacBehandlingStatus.java rename felles/{sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac => abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/domene}/AbacDataAttributter.java (91%) create mode 100644 felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/domene/AbacFagsakStatus.java rename felles/{sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac => abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/domene}/AbacResultat.java (72%) rename felles/{sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/BeskyttetRessursActionAttributt.java => abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/domene/ActionType.java} (68%) create mode 100644 felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/domene/BeskyttRessursAttributer.java create mode 100644 felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/domene/IdSubject.java create mode 100644 felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/domene/IdToken.java create mode 100644 felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/domene/ServiceType.java create mode 100644 felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/domene/StandardAbacAttributtType.java rename felles/{sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac => abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/domene}/Tilgangsbeslutning.java (86%) create mode 100644 felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/domene/TokenType.java create mode 100644 felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp/Pdp.java create mode 100644 felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp/PdpImpl.java create mode 100644 felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp/XacmlConsumer.java rename felles/{sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/pdp/PdpConsumerImpl.java => abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp/XacmlConsumerImpl.java} (61%) create mode 100644 felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp/XacmlRequestMapper.java create mode 100644 felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp2/NyPdpImpl.java create mode 100644 felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp2/NyXacmlConsumer.java create mode 100644 felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp2/NyXacmlRequestMapper.java create mode 100644 felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp2/XamclJerseyRestKlient.java create mode 100644 felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp2/xacml/Advice.java rename felles/{sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/pdp => abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp2}/xacml/BiasedDecisionResponse.java (84%) rename felles/{sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/pdp => abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp2}/xacml/Category.java (65%) rename felles/{sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac => abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp2/xacml}/Decision.java (72%) rename felles/{sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/pdp => abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp2}/xacml/Obligation.java (89%) rename felles/{sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/pdp => abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp2}/xacml/XacmlAttributeSet.java (96%) create mode 100644 felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp2/xacml/XacmlRequest.java rename felles/{sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/pdp => abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp2}/xacml/XacmlRequestBuilder.java (93%) create mode 100644 felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp2/xacml/XacmlResponse.java rename felles/{sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/pdp => abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp2}/xacml/XacmlResponseWrapper.java (98%) create mode 100644 felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pep/PdpRequest.java create mode 100644 felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pep/Pep.java create mode 100644 felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pep/PepImpl.java rename felles/{sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac => abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pep}/PepNektetTilgangException.java (87%) create mode 100644 felles/abac/src/main/resources/META-INF/beans.xml rename felles/{sikkerhet/sikkerhet/src/test/java/no/nav/vedtak => abac/src/test/java/no/nav/foreldrepenger}/sikkerhet/abac/BeskyttetRessursInterceptorTest.java (51%) rename felles/{sikkerhet/sikkerhet/src/test/java/no/nav/vedtak/sikkerhet/pdp/PdpKlientImplTest.java => abac/src/test/java/no/nav/foreldrepenger/sikkerhet/abac/pdp/PdpImplTest.java} (60%) rename felles/{sikkerhet/sikkerhet/src/test/java/no/nav/vedtak/sikkerhet/pdp/PdpConsumerImplTest.java => abac/src/test/java/no/nav/foreldrepenger/sikkerhet/abac/pdp/XacmlConsumerImplTest.java} (83%) create mode 100644 felles/abac/src/test/java/no/nav/foreldrepenger/sikkerhet/abac/pdp2/NyPdpImplTest.java create mode 100644 felles/abac/src/test/java/no/nav/foreldrepenger/sikkerhet/abac/pdp2/XacmlRequestMapperTest.java create mode 100644 felles/abac/src/test/java/no/nav/foreldrepenger/sikkerhet/abac/pdp2/xacml/XacmlRequestTest.java create mode 100644 felles/abac/src/test/java/no/nav/foreldrepenger/sikkerhet/abac/pdp2/xacml/XacmlResponseTest.java create mode 100644 felles/abac/src/test/java/no/nav/foreldrepenger/sikkerhet/abac/pep/PepImplTest.java create mode 100644 felles/abac/src/test/resources/META-INF/beans.xml create mode 100644 felles/abac/src/test/resources/application.properties create mode 100644 felles/abac/src/test/resources/example-jwks.json create mode 100644 felles/abac/src/test/resources/example2-jwks.json create mode 100644 felles/abac/src/test/resources/logback-test.xml create mode 100644 felles/abac/src/test/resources/request.json create mode 100644 felles/abac/src/test/resources/request1.json create mode 100644 felles/abac/src/test/resources/xacml3response.json create mode 100644 felles/abac/src/test/resources/xacmlresponse-array.json create mode 100644 felles/abac/src/test/resources/xacmlresponse.json create mode 100644 felles/abac/src/test/resources/xacmlresponse_1deny_1permit.json create mode 100644 felles/abac/src/test/resources/xacmlresponse_multiple_obligation.json create mode 100644 felles/mapper/pom.xml rename felles/{util/src/main/java/no/nav/vedtak => mapper/src/main/java/no/nav/foreldrepenger}/felles/integrasjon/rest/DefaultJsonMapper.java (97%) delete mode 100644 felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/AbacAttributtSamling.java delete mode 100644 felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/AbacAttributtType.java delete mode 100644 felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/AbacDto.java delete mode 100644 felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/AbacIdToken.java delete mode 100644 felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/AbacSporingslogg.java delete mode 100644 felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/ActionUthenter.java delete mode 100644 felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/BeskyttetRessursInterceptor.java delete mode 100644 felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/DefaultAbacSporingslogg.java delete mode 100644 felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/JaasTokenProvider.java delete mode 100644 felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/NavAbacCommonAttributter.java delete mode 100644 felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/PdpKlient.java delete mode 100644 felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/PdpRequest.java delete mode 100644 felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/PdpRequestBuilder.java delete mode 100644 felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/Pep.java delete mode 100644 felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/PepImpl.java delete mode 100644 felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/StandardAbacAttributtType.java delete mode 100644 felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/TokenProvider.java delete mode 100644 felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/pdp/PdpConsumer.java delete mode 100644 felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/pdp/PdpKlientImpl.java delete mode 100644 felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/pdp/XacmlRequestBuilderTjeneste.java delete mode 100644 felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/pdp/jaxrs/BasicAuthFilter.java delete mode 100644 felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/pdp/xacml/Advice.java delete mode 100644 felles/sikkerhet/sikkerhet/src/test/java/no/nav/vedtak/sikkerhet/abac/AbacSporingsloggTest.java delete mode 100644 felles/sikkerhet/sikkerhet/src/test/java/no/nav/vedtak/sikkerhet/abac/ActionUthenterTest.java delete mode 100644 felles/sikkerhet/sikkerhet/src/test/java/no/nav/vedtak/sikkerhet/abac/DummyRequestBuilder.java delete mode 100644 felles/sikkerhet/sikkerhet/src/test/java/no/nav/vedtak/sikkerhet/abac/PdpRequestTest.java delete mode 100644 felles/sikkerhet/sikkerhet/src/test/java/no/nav/vedtak/sikkerhet/abac/PepImplTest.java delete mode 100644 felles/sikkerhet/sikkerhet/src/test/java/no/nav/vedtak/sikkerhet/pdp/XacmlRequestBuilderTjenesteImpl.java create mode 100644 felles/sikkerhet/sikkerhet/src/test/resources/request.json create mode 100644 felles/sikkerhet/sikkerhet/src/test/resources/request1.json delete mode 100644 felles/sikkerhet/testutilities/src/main/java/no/nav/vedtak/felles/testutilities/sikkerhet/pdp/DummyRequestBuilder.java delete mode 100644 felles/sikkerhet/testutilities/src/main/java/no/nav/vedtak/felles/testutilities/sikkerhet/pdp/DummyXacmlRequestBuilderTjeneste.java diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7ed73e55b..3ba637c67 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -13,7 +13,7 @@ jobs: with: ref: 'master' - - name: Set up JDK 11 + - name: Set up Java uses: actions/setup-java@v2 with: distribution: 'adopt' diff --git a/felles/abac/pom.xml b/felles/abac/pom.xml new file mode 100644 index 000000000..d20164149 --- /dev/null +++ b/felles/abac/pom.xml @@ -0,0 +1,70 @@ + + + + felles + no.nav.foreldrepenger.felles + 3.0.83-SNAPSHOT + + 4.0.0 + + felles-abac + Felles :: ABAC + jar + + + + no.nav.foreldrepenger.felles + felles-feil + + + no.nav.foreldrepenger.felles + felles-log + + + no.nav.foreldrepenger.felles + felles-mapper + + + com.nimbusds + oauth2-oidc-sdk + 9.3.3 + + + net.minidev + json-smart + + + + + net.minidev + json-smart + 2.4.2 + + + org.ow2.asm + asm + + + + + jakarta.interceptor + jakarta.interceptor-api + + + + org.jboss.resteasy + resteasy-json-p-provider + ${resteasy.version} + + + org.apache.httpcomponents + httpclient + + + no.nav.foreldrepenger.felles.integrasjon + felles-integrasjon-rest-klient + + + diff --git a/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/AbacDto.java b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/AbacDto.java new file mode 100644 index 000000000..5669b1b63 --- /dev/null +++ b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/AbacDto.java @@ -0,0 +1,7 @@ +package no.nav.foreldrepenger.sikkerhet.abac; + +import no.nav.foreldrepenger.sikkerhet.abac.domene.AbacDataAttributter; + +public interface AbacDto { + AbacDataAttributter abacAttributter(); +} diff --git a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/TilpassetAbacAttributt.java b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/AbacDtoSupplier.java similarity index 69% rename from felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/TilpassetAbacAttributt.java rename to felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/AbacDtoSupplier.java index d7a673e8b..b6f86ccdb 100644 --- a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/TilpassetAbacAttributt.java +++ b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/AbacDtoSupplier.java @@ -1,4 +1,4 @@ -package no.nav.vedtak.sikkerhet.abac; +package no.nav.foreldrepenger.sikkerhet.abac; import java.lang.annotation.ElementType; import java.lang.annotation.Retention; @@ -6,9 +6,11 @@ import java.lang.annotation.Target; import java.util.function.Function; +import no.nav.foreldrepenger.sikkerhet.abac.domene.AbacDataAttributter; + @Retention(RetentionPolicy.RUNTIME) @Target({ElementType.PARAMETER}) -public @interface TilpassetAbacAttributt { +public @interface AbacDtoSupplier { Class> supplierClass(); diff --git a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/BeskyttetRessurs.java b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/BeskyttetRessurs.java similarity index 55% rename from felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/BeskyttetRessurs.java rename to felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/BeskyttetRessurs.java index 6770c81de..c93404868 100644 --- a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/BeskyttetRessurs.java +++ b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/BeskyttetRessurs.java @@ -1,4 +1,4 @@ -package no.nav.vedtak.sikkerhet.abac; +package no.nav.foreldrepenger.sikkerhet.abac; import java.lang.annotation.ElementType; import java.lang.annotation.Inherited; @@ -8,17 +8,33 @@ import javax.enterprise.util.Nonbinding; import javax.interceptor.InterceptorBinding; -import javax.ws.rs.NameBinding; + +import no.nav.foreldrepenger.sikkerhet.abac.domene.ActionType; +import no.nav.foreldrepenger.sikkerhet.abac.domene.ServiceType; @Inherited @InterceptorBinding @Retention(RetentionPolicy.RUNTIME) @Target({ ElementType.TYPE, ElementType.METHOD }) -@NameBinding public @interface BeskyttetRessurs { + + /** + * Property som avgjør om bl. annet hva slags token skal brukes. + * Def fleste tjenester implementerer REST så det er default men WS will trenge SAML. + */ + @Nonbinding + ServiceType service() default ServiceType.REST; + + /** + * Property som beskriver CRUD aksjon utført av tjenesten. + */ @Nonbinding - BeskyttetRessursActionAttributt action(); + ActionType action(); + /** + * Ressurs type knyttet til ABAC policy man beskyttet tilgang til. + * Må ikke settes om property() brukes. + */ @Nonbinding String resource() default ""; @@ -37,4 +53,11 @@ */ @Nonbinding boolean sporingslogg() default true; + + /** + * Path til tjenseten uten base_url. Brukes til sporingslogge tilgang til en konkrett tjeneste. + * Bør starte med / og være representert av @Path for alle REST tjenester eller med @Method for WS. + */ + @Nonbinding + String path(); } diff --git a/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/BeskyttetRessursInterceptor.java b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/BeskyttetRessursInterceptor.java new file mode 100644 index 000000000..906ab8d3a --- /dev/null +++ b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/BeskyttetRessursInterceptor.java @@ -0,0 +1,135 @@ +package no.nav.foreldrepenger.sikkerhet.abac; + +import java.lang.reflect.InvocationTargetException; +import java.lang.reflect.Method; +import java.util.Collection; + +import javax.annotation.Priority; +import javax.enterprise.context.Dependent; +import javax.inject.Inject; +import javax.interceptor.AroundInvoke; +import javax.interceptor.Interceptor; +import javax.interceptor.InvocationContext; + +import no.nav.foreldrepenger.sikkerhet.abac.auditlog.AbacAuditlogger; +import no.nav.foreldrepenger.sikkerhet.abac.domene.AbacResultat; +import no.nav.foreldrepenger.sikkerhet.abac.domene.ActionType; +import no.nav.foreldrepenger.sikkerhet.abac.domene.BeskyttRessursAttributer; +import no.nav.foreldrepenger.sikkerhet.abac.domene.Tilgangsbeslutning; +import no.nav.foreldrepenger.sikkerhet.abac.pep.Pep; +import no.nav.foreldrepenger.sikkerhet.abac.pep.PepNektetTilgangException; +import no.nav.vedtak.exception.TekniskException; +import no.nav.vedtak.util.env.Environment; + + +@BeskyttetRessurs(action = ActionType.DUMMY, path = "") +@Interceptor +@Priority(Interceptor.Priority.APPLICATION + 11) +@Dependent +public class BeskyttetRessursInterceptor { + + private static final Environment ENV = Environment.current(); + + private final Pep pep; + private final AbacAuditlogger abacAuditlogger; + + @Inject + public BeskyttetRessursInterceptor(Pep pep, AbacAuditlogger abacAuditlogger) { + this.pep = pep; + this.abacAuditlogger = abacAuditlogger; + } + + @AroundInvoke + public Object wrapTransaction(final InvocationContext invocationContext) throws Exception { + var attributter = hentAttributter(invocationContext); + var beslutning = pep.vurderTilgang(attributter); + if (beslutning.fikkTilgang()) { + return proceed(invocationContext, attributter, beslutning); + } + return ikkeTilgang(attributter, beslutning); + } + + private BeskyttRessursAttributer hentAttributter(InvocationContext invocationContext) { + var method = invocationContext.getMethod(); + var beskyttetRessurs = method.getAnnotation(BeskyttetRessurs.class); + + var attributter = new BeskyttRessursAttributer() + .setServiceType(beskyttetRessurs.service()) + .setActionType(beskyttetRessurs.action()) + .setRequestPath(beskyttetRessurs.path()); + + if (!beskyttetRessurs.property().isEmpty()) { + var resource = ENV.getProperty(beskyttetRessurs.property()); + attributter.setResource(resource); + } else if (!beskyttetRessurs.resource().isEmpty()) { + attributter.setResource(beskyttetRessurs.resource()); + } + + // Legg på alle attributer fra AbacDtoer og AbacDtoSupplier + var parameterDecl = method.getParameters(); + for (int i = 0; i < method.getParameterCount(); i++) { + Object parameterValue = invocationContext.getParameters()[i]; + AbacDtoSupplier supplierAnnoterign = parameterDecl[i].getAnnotation(AbacDtoSupplier.class); + leggTilAttributterFraParameter(attributter, parameterValue, supplierAnnoterign); + } + return attributter; + } + + @SuppressWarnings("rawtypes") + static void leggTilAttributterFraParameter(BeskyttRessursAttributer attributter, Object parameterValue, AbacDtoSupplier supplierAnnotering) { + if (supplierAnnotering != null) { + leggTil(attributter, supplierAnnotering, parameterValue); + } else { + if (parameterValue instanceof AbacDto) { // NOSONAR for å støtte både enkelt-DTO-er og collection av DTO-er + attributter.leggTil(((AbacDto) parameterValue).abacAttributter()); + } else if (parameterValue instanceof Collection) { // NOSONAR for å støtte både enkelt-DTO-er og collection av DTO-er + leggTilAbacDtoSamling(attributter, (Collection) parameterValue); + } + } + } + + private static void leggTilAbacDtoSamling(BeskyttRessursAttributer attributter, Collection parameterValue) { + for (Object value : parameterValue) { + if (value instanceof AbacDto) { + attributter.leggTil(((AbacDto) value).abacAttributter()); + } else { + throw new TekniskException("F-261962", + String.format("Ugyldig input forventet at samling inneholdt bare AbacDto-er, men fant %s", + value != null ? value.getClass().getName() : "null")); + } + } + } + + private static void leggTil(BeskyttRessursAttributer attributter, AbacDtoSupplier abacDtoSupplier, Object verdi) { + try { + var dataAttributter = abacDtoSupplier.supplierClass().getDeclaredConstructor().newInstance().apply(verdi); + attributter.leggTil(dataAttributter); + } catch (NoSuchMethodException | IllegalAccessException | InstantiationException e) { + throw new IllegalStateException(e); + } catch (InvocationTargetException e) { + throw new IllegalStateException(e.getCause()); + } + } + + private Object proceed(InvocationContext invocationContext, BeskyttRessursAttributer attributter, Tilgangsbeslutning beslutning) throws Exception { + Method method = invocationContext.getMethod(); + boolean auditlogges = method.getAnnotation(BeskyttetRessurs.class).sporingslogg(); + if (auditlogges) { + abacAuditlogger.loggTilgang(beslutning.getPdpRequest(), attributter); + return invocationContext.proceed(); + } + return invocationContext.proceed(); + } + + private Object ikkeTilgang(BeskyttRessursAttributer attributter, Tilgangsbeslutning beslutning) { + abacAuditlogger.loggDeny(beslutning.getPdpRequest(), attributter); + + switch (beslutning.getBeslutningKode()) { + case AVSLÅTT_KODE_6: throw new PepNektetTilgangException("F-709170", "Tilgangskontroll.Avslag.Kode6"); + case AVSLÅTT_KODE_7: throw new PepNektetTilgangException("F-027901", "Tilgangskontroll.Avslag.Kode7"); + case AVSLÅTT_EGEN_ANSATT: throw new PepNektetTilgangException("F-788257", "Tilgangskontroll.Avslag.EgenAnsatt"); + default: throw new PepNektetTilgangException("F-608625", "Ikke tilgang"); + } + } + +} diff --git a/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/PdpRequestBuilder.java b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/PdpRequestBuilder.java new file mode 100644 index 000000000..bdccd3a62 --- /dev/null +++ b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/PdpRequestBuilder.java @@ -0,0 +1,8 @@ +package no.nav.foreldrepenger.sikkerhet.abac; + +import no.nav.foreldrepenger.sikkerhet.abac.domene.BeskyttRessursAttributer; +import no.nav.foreldrepenger.sikkerhet.abac.pep.PdpRequest; + +public interface PdpRequestBuilder { + PdpRequest lagPdpRequest(BeskyttRessursAttributer attributter); +} diff --git a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/AbacAuditlogger.java b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/auditlog/AbacAuditlogger.java similarity index 61% rename from felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/AbacAuditlogger.java rename to felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/auditlog/AbacAuditlogger.java index 15159eaa5..054fdc042 100644 --- a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/AbacAuditlogger.java +++ b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/auditlog/AbacAuditlogger.java @@ -1,4 +1,4 @@ -package no.nav.vedtak.sikkerhet.abac; +package no.nav.foreldrepenger.sikkerhet.abac.auditlog; import static java.util.Objects.requireNonNull; import static no.nav.vedtak.log.audit.CefFieldName.ABAC_ACTION; @@ -12,12 +12,10 @@ import static no.nav.vedtak.log.audit.EventClassId.AUDIT_ACCESS; import static no.nav.vedtak.log.audit.EventClassId.AUDIT_CREATE; import static no.nav.vedtak.log.audit.EventClassId.AUDIT_UPDATE; -import static no.nav.vedtak.sikkerhet.abac.NavAbacCommonAttributter.RESOURCE_FELLES_PERSON_AKTOERID_RESOURCE; -import static no.nav.vedtak.sikkerhet.abac.NavAbacCommonAttributter.RESOURCE_FELLES_PERSON_FNR; -import static no.nav.vedtak.sikkerhet.abac.StandardAbacAttributtType.BEHANDLING_ID; -import static no.nav.vedtak.sikkerhet.abac.StandardAbacAttributtType.BEHANDLING_UUID; -import static no.nav.vedtak.sikkerhet.abac.StandardAbacAttributtType.FAGSAK_ID; -import static no.nav.vedtak.sikkerhet.abac.StandardAbacAttributtType.SAKSNUMMER; +import static no.nav.foreldrepenger.sikkerhet.abac.domene.StandardAbacAttributtType.BEHANDLING_ID; +import static no.nav.foreldrepenger.sikkerhet.abac.domene.StandardAbacAttributtType.BEHANDLING_UUID; +import static no.nav.foreldrepenger.sikkerhet.abac.domene.StandardAbacAttributtType.FAGSAK_ID; +import static no.nav.foreldrepenger.sikkerhet.abac.domene.StandardAbacAttributtType.SAKSNUMMER; import java.util.HashSet; import java.util.List; @@ -34,6 +32,10 @@ import no.nav.vedtak.log.audit.Auditlogger; import no.nav.vedtak.log.audit.CefField; import no.nav.vedtak.log.audit.EventClassId; +import no.nav.foreldrepenger.sikkerhet.abac.domene.AbacAttributtType; +import no.nav.foreldrepenger.sikkerhet.abac.domene.BeskyttRessursAttributer; +import no.nav.foreldrepenger.sikkerhet.abac.pep.PdpRequest; + /** * Dette loggformatet er avklart med Arcsight. Eventuelle nye felter skal @@ -50,24 +52,20 @@ public AbacAuditlogger(Auditlogger auditlogger) { this.auditlogger = auditlogger; } - public void loggTilgang(String userId, PdpRequest pdpRequest, AbacAttributtSamling attributter) { - logg(userId, pdpRequest, attributter, Access.GRANTED); - } - - public void loggDeny(String userId, PdpRequest pdpRequest, AbacAttributtSamling attributter) { - logg(userId, pdpRequest, attributter, Access.DENIED); + public void loggTilgang(PdpRequest pdpRequest, BeskyttRessursAttributer attributter) { + logg(pdpRequest, attributter, Access.GRANTED); } - public boolean isEnabled() { - return auditlogger.isEnabled(); + public void loggDeny(PdpRequest pdpRequest, BeskyttRessursAttributer attributter) { + logg(pdpRequest, attributter, Access.DENIED); } - private void logg(String userId, PdpRequest pdpRequest, AbacAttributtSamling attributter, Access access) { + private void logg(PdpRequest pdpRequest, BeskyttRessursAttributer attributter, Access access) { requireNonNull(pdpRequest); - String abacAction = requireNonNull(pdpRequest.getString(NavAbacCommonAttributter.XACML10_ACTION_ACTION_ID)); + String abacAction = requireNonNull(pdpRequest.getActionId().getEksternKode()); var header = createHeader(abacAction, access); - var fields = createDefaultAbacFields(userId, pdpRequest, attributter); + var fields = createDefaultAbacFields(pdpRequest, attributter); List ids = getBerortBrukerId(pdpRequest); for (String aktorId : ids) { @@ -92,18 +90,18 @@ private AuditdataHeader createHeader(String abacAction, Access access) { .build(); } - private Set createDefaultAbacFields(String userId, PdpRequest pdpRequest, AbacAttributtSamling attributter) { - String abacAction = requireNonNull(pdpRequest.getString(NavAbacCommonAttributter.XACML10_ACTION_ACTION_ID)); - String abacResourceType = requireNonNull(pdpRequest.getString(NavAbacCommonAttributter.RESOURCE_FELLES_RESOURCE_TYPE)); + private Set createDefaultAbacFields(PdpRequest pdpRequest, BeskyttRessursAttributer attributter) { + String abacAction = requireNonNull(pdpRequest.getActionId().getEksternKode()); + String abacResourceType = requireNonNull(pdpRequest.getResourceType()); Set fields = new HashSet<>(); fields.add(new CefField(EVENT_TIME, System.currentTimeMillis())); - fields.add(new CefField(REQUEST, attributter.getAction())); fields.add(new CefField(ABAC_RESOURCE_TYPE, abacResourceType)); fields.add(new CefField(ABAC_ACTION, abacAction)); + fields.add(new CefField(REQUEST, pdpRequest.getRequest())); - if (userId != null) { - fields.add(new CefField(USER_ID, userId)); + if (pdpRequest.getUserId() != null) { + fields.add(new CefField(USER_ID, pdpRequest.getUserId())); } getOneOf(attributter, SAKSNUMMER, FAGSAK_ID).ifPresent(fagsak -> { @@ -121,41 +119,36 @@ private List getBerortBrukerId(PdpRequest pdpRequest) { /* * Arcsight foretrekker FNR fremfor AktørID, men det er uklart hvordan de * håndterer blanding (har sendt forespørsel, men ikke fått svar). Velger derfor - * at AktørID prioriteres (siden alle kallene i k9-sak har denne). + * at AktørID prioriteres. */ - final List ids = allNonNullValues(pdpRequest, RESOURCE_FELLES_PERSON_AKTOERID_RESOURCE); + final List ids = allNonNullValues(pdpRequest.getAktørIder()); if (!ids.isEmpty()) { return ids; } - return allNonNullValues(pdpRequest, RESOURCE_FELLES_PERSON_FNR); + return allNonNullValues(pdpRequest.getPersonnummere()); } - private static final Optional getOneOf(AbacAttributtSamling attributter, AbacAttributtType... typer) { + private static Optional getOneOf(BeskyttRessursAttributer attributter, AbacAttributtType... typer) { for (AbacAttributtType key : typer) { final Set values = attributter.getVerdier(key); if (!values.isEmpty()) { - return Optional.of(values.stream().map(v -> v.toString()).collect(Collectors.joining(","))); + return Optional.of(values.stream().map(Object::toString).collect(Collectors.joining(","))); } } return Optional.empty(); } - private static final EventClassId finnEventClassIdFra(String abacAction) { + private static EventClassId finnEventClassIdFra(String abacAction) { switch (abacAction) { - case "read": - return AUDIT_ACCESS; - case "delete": /* Fall-through */ - case "update": - return AUDIT_UPDATE; - case "create": - return AUDIT_CREATE; - default: - throw new IllegalArgumentException("Ukjent abacAction: " + abacAction); + case "read": return AUDIT_ACCESS; + case "delete": case "update": return AUDIT_UPDATE; + case "create": return AUDIT_CREATE; + default: throw new IllegalArgumentException("Ukjent abacAction: " + abacAction); } } - private static final List allNonNullValues(PdpRequest pdpRequest, String key) { - return pdpRequest.getListOfString(key).stream() + private static List allNonNullValues(Set identer) { + return identer.stream() .filter(Objects::nonNull) .collect(Collectors.toList()); } diff --git "a/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/domene/AbacAttributtN\303\270kkel.java" "b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/domene/AbacAttributtN\303\270kkel.java" new file mode 100644 index 000000000..65a3d878b --- /dev/null +++ "b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/domene/AbacAttributtN\303\270kkel.java" @@ -0,0 +1,30 @@ +package no.nav.foreldrepenger.sikkerhet.abac.domene; + +/** + * Inneholder subset av konstanter deklareret i abac-common-attributter modul i Nav. Denne ligger ikke tilgjengelig + * på GPR eller Maven Central, derfor har vi valgt å kopiere de konstanter her. + */ +public class AbacAttributtNøkkel { + + public static final String ACTION_ACTION_ID = "urn:oasis:names:tc:xacml:1.0:action:action-id"; + public static final String ENVIRONMENT_OIDC_TOKEN_BODY = "no.nav.abac.attributter.environment.felles.oidc_token_body"; + public static final String ENVIRONMENT_TOKENX_TOKEN_BODY = "no.nav.no.nav.no.nav.abac.attributter.environment.felles.tokenx_token_body"; + public static final String ENVIRONMENT_SAML_TOKEN = "no.nav.abac.attributter.environment.felles.saml_token"; + public static final String ENVIRONMENT_PEP_ID = "no.nav.abac.attributter.environment.felles.pep_id"; + public static final String RESOURCE_RESOURCE_TYPE = "no.nav.abac.attributter.resource.felles.resource_type"; + public static final String RESOURCE_DOMENE = "no.nav.abac.attributter.resource.felles.domene"; + public static final String RESOURCE_PERSON_NAVN = "no.nav.abac.attributter.resource.felles.person.navn"; + public static final String RESOURCE_PERSON_FNR = "no.nav.abac.attributter.resource.felles.person.fnr"; + public static final String RESOURCE_PERSON_AKTOERID = "no.nav.abac.attributter.resource.felles.person.aktoerId_resource"; + public static final String SUBJECT_ID = "urn:oasis:names:tc:xacml:1.0:subject:subject-id"; + public static final String SUBJECT_TYPE = "no.nav.abac.attributter.subject.felles.subjectType"; + public static final String SUBJECT_LEVEL = "no.nav.abac.attributter.subject.felles.authenticationLevel"; + + public static final String RESOURCE_FORELDREPENGER_SAK_AKSJONSPUNKT_TYPE = "no.nav.abac.attributter.resource.foreldrepenger.sak.aksjonspunkt_type"; + public static final String RESOURCE_FORELDREPENGER_SAK_ANSVARLIG_SAKSBEHANDLER = "no.nav.abac.attributter.resource.foreldrepenger.sak.ansvarlig_saksbehandler"; + public static final String RESOURCE_FORELDREPENGER_SAK_BEHANDLINGSSTATUS = "no.nav.abac.attributter.resource.foreldrepenger.sak.behandlingsstatus"; + public static final String RESOURCE_FORELDREPENGER_SAK_SAKSSTATUS = "no.nav.abac.attributter.resource.foreldrepenger.sak.saksstatus"; + + public static final String RESOURCE_FORELDREPENGER_ALENEOMSORG = "no.nav.abac.attributter.resource.foreldrepenger.aleneomsorg"; + public static final String RESOURCE_FORELDREPENGER_ANNEN_PART = "no.nav.abac.attributter.resource.foreldrepenger.annen_part"; +} diff --git a/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/domene/AbacAttributtType.java b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/domene/AbacAttributtType.java new file mode 100644 index 000000000..db8b989fd --- /dev/null +++ b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/domene/AbacAttributtType.java @@ -0,0 +1,5 @@ +package no.nav.foreldrepenger.sikkerhet.abac.domene; + +public interface AbacAttributtType { + boolean getMaskerOutput(); +} diff --git a/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/domene/AbacBehandlingStatus.java b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/domene/AbacBehandlingStatus.java new file mode 100644 index 000000000..1fef4d486 --- /dev/null +++ b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/domene/AbacBehandlingStatus.java @@ -0,0 +1,17 @@ +package no.nav.foreldrepenger.sikkerhet.abac.domene; + +public enum AbacBehandlingStatus { + OPPRETTET("Opprettet"), + UTREDES("Behandling utredes"), + FATTE_VEDTAK("Kontroller og fatte vedtak"); + + private final String eksternKode; + + AbacBehandlingStatus(String eksternKode) { + this.eksternKode = eksternKode; + } + + public String getEksternKode() { + return eksternKode; + } +} diff --git a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/AbacDataAttributter.java b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/domene/AbacDataAttributter.java similarity index 91% rename from felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/AbacDataAttributter.java rename to felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/domene/AbacDataAttributter.java index 413df1770..db755134b 100644 --- a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/AbacDataAttributter.java +++ b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/domene/AbacDataAttributter.java @@ -1,4 +1,4 @@ -package no.nav.vedtak.sikkerhet.abac; +package no.nav.foreldrepenger.sikkerhet.abac.domene; import static java.util.Objects.requireNonNull; @@ -44,11 +44,8 @@ public AbacDataAttributter leggTil(AbacAttributtType type, Collection sa public AbacDataAttributter leggTil(AbacAttributtType type, Object verdi) { requireNonNull(verdi, "Attributt av type " + type + " kan ikke være null"); //$NON-NLS-1$ //$NON-NLS-2$ - Set a = attributter.get(type); - if (a == null) { - a = new LinkedHashSet<>(4); // det er vanligvis bare 1 attributt i settet - attributter.put(type, a); - } + Set a = attributter.computeIfAbsent(type, k -> new LinkedHashSet<>(4)); + // det er vanligvis bare 1 attributt i settet a.add(verdi); return this; } diff --git a/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/domene/AbacFagsakStatus.java b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/domene/AbacFagsakStatus.java new file mode 100644 index 000000000..8bdb355f7 --- /dev/null +++ b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/domene/AbacFagsakStatus.java @@ -0,0 +1,16 @@ +package no.nav.foreldrepenger.sikkerhet.abac.domene; + +public enum AbacFagsakStatus { + OPPRETTET("Opprettet"), + UNDER_BEHANDLING("Under behandling"); + + private final String eksternKode; + + AbacFagsakStatus(String eksternKode) { + this.eksternKode = eksternKode; + } + + public String getEksternKode() { + return eksternKode; + } +} diff --git a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/AbacResultat.java b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/domene/AbacResultat.java similarity index 72% rename from felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/AbacResultat.java rename to felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/domene/AbacResultat.java index 135bf7aea..167c8bb21 100644 --- a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/AbacResultat.java +++ b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/domene/AbacResultat.java @@ -1,4 +1,4 @@ -package no.nav.vedtak.sikkerhet.abac; +package no.nav.foreldrepenger.sikkerhet.abac.domene; public enum AbacResultat { GODKJENT, diff --git a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/BeskyttetRessursActionAttributt.java b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/domene/ActionType.java similarity index 68% rename from felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/BeskyttetRessursActionAttributt.java rename to felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/domene/ActionType.java index b39705ed7..39fa62d35 100644 --- a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/BeskyttetRessursActionAttributt.java +++ b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/domene/ActionType.java @@ -1,6 +1,6 @@ -package no.nav.vedtak.sikkerhet.abac; +package no.nav.foreldrepenger.sikkerhet.abac.domene; -public enum BeskyttetRessursActionAttributt { +public enum ActionType { READ("read"), UPDATE("update"), CREATE("create"), @@ -13,7 +13,7 @@ public enum BeskyttetRessursActionAttributt { private String eksternKode; - BeskyttetRessursActionAttributt(String eksternKode) { + ActionType(String eksternKode) { this.eksternKode = eksternKode; } diff --git a/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/domene/BeskyttRessursAttributer.java b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/domene/BeskyttRessursAttributer.java new file mode 100644 index 000000000..79a4837ab --- /dev/null +++ b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/domene/BeskyttRessursAttributer.java @@ -0,0 +1,100 @@ +package no.nav.foreldrepenger.sikkerhet.abac.domene; + +import java.net.URI; +import java.util.Set; + +import com.nimbusds.jwt.SignedJWT; + +public class BeskyttRessursAttributer { + + private final AbacDataAttributter dataAttributter = AbacDataAttributter.opprett(); + private ActionType actionType; + private ServiceType serviceType; + private String resource; + private String requestPath; + + public BeskyttRessursAttributer() { + } + + public BeskyttRessursAttributer leggTil(AbacDataAttributter dataAttributter) { + this.dataAttributter.leggTil(dataAttributter); + return this; + } + + public Set getVerdier(AbacAttributtType type) { + return dataAttributter.getVerdier(type); + } + + public Set keySet() { + return dataAttributter.keySet(); + } + + @Override + public String toString() { + return BeskyttRessursAttributer.class.getSimpleName() + '{' + + " actionType='" + actionType + "'" + + " serviceType='" + serviceType + "'" + + " resource='" + resource + "' " + + " requestPath='" + requestPath + "'" + + dataAttributter + + '}'; + } + + public BeskyttRessursAttributer setActionType(ActionType actionType) { + this.actionType = actionType; + return this; + } + + public ActionType getActionType() { + return actionType; + } + + public BeskyttRessursAttributer setServiceType(final ServiceType serviceType) { + this.serviceType = serviceType; + return this; + } + + public ServiceType getServiceType() { + return serviceType; + } + + public BeskyttRessursAttributer setResource(String resource) { + this.resource = resource; + return this; + } + + public String getResource() { + return resource; + } + + public int getTotalAntallAttributter() { + return dataAttributter.keySet().stream().mapToInt(k -> dataAttributter.getVerdier(k).size()).sum(); + } + + public int kryssProduktAntallAttributter() { + return dataAttributter.keySet().stream() + .mapToInt(k -> dataAttributter.getVerdier(k).size()) + .filter(s -> s > 0) + .reduce(1, (a, b) -> a * b); + } + + public BeskyttRessursAttributer setRequestPath(String requestPath) { + this.requestPath = requestPath; + return this; + } + + public String getRequestPath() { + return requestPath; + } + + private static TokenType oidcTokenType(String token) { + try { + return URI.create(SignedJWT.parse(token) + .getJWTClaimsSet().getIssuer()).getHost().contains("tokendings") ? TokenType.TOKENX : TokenType.OIDC; + + } catch (Exception e) { + throw new IllegalArgumentException("Ukjent token type"); + } + } + +} diff --git a/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/domene/IdSubject.java b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/domene/IdSubject.java new file mode 100644 index 000000000..bb95f84f2 --- /dev/null +++ b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/domene/IdSubject.java @@ -0,0 +1,41 @@ +package no.nav.foreldrepenger.sikkerhet.abac.domene; + +import java.util.Optional; + +public class IdSubject { + + private final String subjectId; + private final String subjectLevel; + private final String subjectType; + + private IdSubject(String subjectId, String subjectType, String subjectLevel) { + this.subjectId = subjectId; + this.subjectType = subjectType; + this.subjectLevel = subjectLevel; + } + + public static IdSubject with(String id, String type, String level) { + return new IdSubject(id, type, level); + } + + public static IdSubject with(String id, String type) { + return with(id, type, null); + } + + public String getSubjectId() { + return subjectId; + } + + public String getSubjectType() { + return subjectType; + } + + public Optional getSubjectLevel() { + return Optional.ofNullable(subjectLevel); + } + + @Override + public String toString() { + return getClass().getSimpleName() + " [subject={subjectId='MASKERT', subjectType=" + subjectType + ", subjectLevel=" + subjectLevel + "}]"; + } +} diff --git a/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/domene/IdToken.java b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/domene/IdToken.java new file mode 100644 index 000000000..4ae238671 --- /dev/null +++ b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/domene/IdToken.java @@ -0,0 +1,40 @@ +package no.nav.foreldrepenger.sikkerhet.abac.domene; + +public class IdToken { + + private final String token; + private final TokenType tokenType; + + private IdToken(String token, TokenType tokenType) { + this.token = token; + this.tokenType = tokenType; + } + + public static IdToken withToken(String token, TokenType type) { + return new IdToken(token, type); + } + + public TokenType getTokenType() { + return tokenType; + } + + public String getToken() { + return token; + } + + @Override + public String toString() { + return getClass().getSimpleName() + " [token=" + maskertToken() + ", tokenType=" + tokenType + "]"; + } + + private String maskertToken() { + if (tokenType == TokenType.SAML) { + return "samlToken='MASKERT'"; + } + return "jwtToken='" + maskerOidcToken(token) + '\''; + } + + private static String maskerOidcToken(String token) { + return token.substring(0, token.lastIndexOf('.')) + ".MASKERT"; + } +} diff --git a/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/domene/ServiceType.java b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/domene/ServiceType.java new file mode 100644 index 000000000..a70299933 --- /dev/null +++ b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/domene/ServiceType.java @@ -0,0 +1,6 @@ +package no.nav.foreldrepenger.sikkerhet.abac.domene; + +public enum ServiceType { + REST, + WEBSERVICE +} diff --git a/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/domene/StandardAbacAttributtType.java b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/domene/StandardAbacAttributtType.java new file mode 100644 index 000000000..a81a6f07c --- /dev/null +++ b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/domene/StandardAbacAttributtType.java @@ -0,0 +1,36 @@ +package no.nav.foreldrepenger.sikkerhet.abac.domene; + +/** + * Skal kun inneholde STANDARD ABAC attributt typer. Finner du noe nytt og lurt + * som du kun bruker i din applikasjon - lag din ege AbacAttributtType + */ +public enum StandardAbacAttributtType implements AbacAttributtType { + /** Fødselsnummer eller D-nummer */ + FNR(true), + AKTØR_ID(true), + /** GSAK-saknummer */ + SAKSNUMMER, + BEHANDLING_ID, + DOKUMENT_DATA_ID, + FAGSAK_ID, + /** Eksternt refererbar unik UUID for Behandling. Bør brukes mot andre systemer istdf. BEHANDLING_ID. */ + BEHANDLING_UUID, + AKSJONSPUNKT_KODE, + JOURNALPOST_ID; + + private final boolean maskerOutput; + + StandardAbacAttributtType() { + this(false); + } + + StandardAbacAttributtType(boolean maskerOutput) { + this.maskerOutput = maskerOutput; + } + + @Override + public boolean getMaskerOutput() { + return maskerOutput; + } + +} diff --git a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/Tilgangsbeslutning.java b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/domene/Tilgangsbeslutning.java similarity index 86% rename from felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/Tilgangsbeslutning.java rename to felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/domene/Tilgangsbeslutning.java index c36937b47..129973970 100644 --- a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/Tilgangsbeslutning.java +++ b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/domene/Tilgangsbeslutning.java @@ -1,8 +1,11 @@ -package no.nav.vedtak.sikkerhet.abac; +package no.nav.foreldrepenger.sikkerhet.abac.domene; import java.util.List; import java.util.Objects; +import no.nav.foreldrepenger.sikkerhet.abac.pdp2.xacml.Decision; +import no.nav.foreldrepenger.sikkerhet.abac.pep.PdpRequest; + public final class Tilgangsbeslutning { private final AbacResultat beslutningKode; private final List delbeslutninger; diff --git a/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/domene/TokenType.java b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/domene/TokenType.java new file mode 100644 index 000000000..c17d8607f --- /dev/null +++ b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/domene/TokenType.java @@ -0,0 +1,7 @@ +package no.nav.foreldrepenger.sikkerhet.abac.domene; + +public enum TokenType { + OIDC, + TOKENX, + SAML +} diff --git a/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp/Pdp.java b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp/Pdp.java new file mode 100644 index 000000000..ef5c1ee75 --- /dev/null +++ b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp/Pdp.java @@ -0,0 +1,8 @@ +package no.nav.foreldrepenger.sikkerhet.abac.pdp; + +import no.nav.foreldrepenger.sikkerhet.abac.domene.Tilgangsbeslutning; +import no.nav.foreldrepenger.sikkerhet.abac.pep.PdpRequest; + +public interface Pdp { + Tilgangsbeslutning forespørTilgang(PdpRequest pdpRequest); +} diff --git a/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp/PdpImpl.java b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp/PdpImpl.java new file mode 100644 index 000000000..a71a91538 --- /dev/null +++ b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp/PdpImpl.java @@ -0,0 +1,107 @@ +package no.nav.foreldrepenger.sikkerhet.abac.pdp; + + +import java.util.List; +import java.util.Optional; + +import javax.enterprise.context.ApplicationScoped; +import javax.inject.Inject; +import javax.inject.Named; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import no.nav.foreldrepenger.sikkerhet.abac.domene.AbacResultat; +import no.nav.foreldrepenger.sikkerhet.abac.domene.Tilgangsbeslutning; +import no.nav.foreldrepenger.sikkerhet.abac.pdp2.xacml.Advice; +import no.nav.foreldrepenger.sikkerhet.abac.pdp2.xacml.BiasedDecisionResponse; +import no.nav.foreldrepenger.sikkerhet.abac.pdp2.xacml.Decision; +import no.nav.foreldrepenger.sikkerhet.abac.pdp2.xacml.XacmlResponseWrapper; +import no.nav.foreldrepenger.sikkerhet.abac.pep.PdpRequest; +import no.nav.vedtak.exception.TekniskException; + +@ApplicationScoped +@Named("oldPdp") +public class PdpImpl implements Pdp { + + private static final Logger LOG = LoggerFactory.getLogger(PdpImpl.class); + + private final XacmlConsumer pdpKlient; + + @Inject + public PdpImpl(XacmlConsumer pdpKlient) { + this.pdpKlient = pdpKlient; + } + + @Override + public Tilgangsbeslutning forespørTilgang(PdpRequest pdpRequest) { + var builder = XacmlRequestMapper.lagXacmlRequestBuilder(pdpRequest); + var response = pdpKlient.evaluate(builder); + var biasedDecisionResponse = evaluateWithBias(response); + var hovedresultat = resultatFraResponse(biasedDecisionResponse); + return new Tilgangsbeslutning(hovedresultat, response.getDecisions(), pdpRequest); + } + + private static AbacResultat resultatFraResponse(BiasedDecisionResponse response) { + if (response.getBiasedDecision() == Decision.Permit) { + return AbacResultat.GODKJENT; + } + var denyAdvice = response.getXacmlResponse().getAdvice(); + + if (LOG.isDebugEnabled()) { + LOG.debug("Deny fra PDP, advice var: " + toStringWithoutLineBreaks(denyAdvice)); + } + if (denyAdvice.contains(Advice.DENY_KODE_6)) { + return AbacResultat.AVSLÅTT_KODE_6; + } + if (denyAdvice.contains(Advice.DENY_KODE_7)) { + return AbacResultat.AVSLÅTT_KODE_7; + } + if (denyAdvice.contains(Advice.DENY_EGEN_ANSATT)) { + return AbacResultat.AVSLÅTT_EGEN_ANSATT; + } + return AbacResultat.AVSLÅTT_ANNEN_ÅRSAK; + } + + private static BiasedDecisionResponse evaluateWithBias(XacmlResponseWrapper response) { + var decisions = response.getDecisions(); + validerDecisions(decisions); + var biasedDecision = createAggregatedDecision(decisions); + var decisionResponse = new BiasedDecisionResponse(biasedDecision, response); + harObligations(decisionResponse); + return decisionResponse; + } + + private static void validerDecisions(final List decisions) { + if (decisions.stream().anyMatch(dec -> dec.equals(Decision.Indeterminate))) { + throw new TekniskException("F-080281", "Decision.Indeterminate fra PDP, dette skal aldri skje."); + } + } + + private static Decision createAggregatedDecision(List decisions) { + if (decisions.stream().allMatch(dec -> dec.equals(Decision.Permit))) { + return Decision.Permit; + } + return Decision.Deny; + } + + private static void harObligations(BiasedDecisionResponse response) { + var obligations = response.getXacmlResponse().getObligations(); + if (!obligations.isEmpty()) { + throw new TekniskException("F-576027", String.format("Mottok ukjente obligations fra PDP: %s", obligations)); + } + } + + private static String removeLineBreaks(String string) { + return Optional.ofNullable(string) + .map(s -> s.replaceAll("(\\r|\\n)", "")) + .orElse(null); + } + + private static String toStringWithoutLineBreaks(Object object) { + return Optional.ofNullable(object) + .map(Object::toString) + .map(PdpImpl::removeLineBreaks) + .orElse(null); + } +} diff --git a/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp/XacmlConsumer.java b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp/XacmlConsumer.java new file mode 100644 index 000000000..7a5761c6a --- /dev/null +++ b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp/XacmlConsumer.java @@ -0,0 +1,11 @@ +package no.nav.foreldrepenger.sikkerhet.abac.pdp; + +import no.nav.foreldrepenger.sikkerhet.abac.pdp2.xacml.XacmlRequest; +import no.nav.foreldrepenger.sikkerhet.abac.pdp2.xacml.XacmlRequestBuilder; +import no.nav.foreldrepenger.sikkerhet.abac.pdp2.xacml.XacmlResponse; +import no.nav.foreldrepenger.sikkerhet.abac.pdp2.xacml.XacmlResponseWrapper; + +public interface XacmlConsumer { + XacmlResponseWrapper evaluate(XacmlRequestBuilder request); + XacmlResponse evaluate(XacmlRequest request); +} diff --git a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/pdp/PdpConsumerImpl.java b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp/XacmlConsumerImpl.java similarity index 61% rename from felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/pdp/PdpConsumerImpl.java rename to felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp/XacmlConsumerImpl.java index 03eca0910..d9572dd5c 100644 --- a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/pdp/PdpConsumerImpl.java +++ b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp/XacmlConsumerImpl.java @@ -1,4 +1,4 @@ -package no.nav.vedtak.sikkerhet.pdp; +package no.nav.foreldrepenger.sikkerhet.abac.pdp; import java.io.IOException; import java.net.URI; @@ -15,7 +15,6 @@ import org.apache.http.HeaderElementIterator; import org.apache.http.HttpEntity; import org.apache.http.HttpHost; -import org.apache.http.HttpResponse; import org.apache.http.HttpStatus; import org.apache.http.StatusLine; import org.apache.http.auth.AuthScope; @@ -37,41 +36,42 @@ import org.apache.http.impl.conn.PoolingHttpClientConnectionManager; import org.apache.http.message.BasicHeaderElementIterator; import org.apache.http.protocol.HTTP; -import org.apache.http.protocol.HttpContext; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import no.nav.foreldrepenger.felles.integrasjon.rest.DefaultJsonMapper; +import no.nav.foreldrepenger.sikkerhet.abac.pdp2.xacml.XacmlRequest; +import no.nav.foreldrepenger.sikkerhet.abac.pdp2.xacml.XacmlRequestBuilder; +import no.nav.foreldrepenger.sikkerhet.abac.pdp2.xacml.XacmlResponse; +import no.nav.foreldrepenger.sikkerhet.abac.pdp2.xacml.XacmlResponseWrapper; import no.nav.vedtak.exception.TekniskException; import no.nav.vedtak.konfig.KonfigVerdi; -import no.nav.vedtak.sikkerhet.pdp.xacml.XacmlRequestBuilder; -import no.nav.vedtak.sikkerhet.pdp.xacml.XacmlResponseWrapper; -import no.nav.vedtak.util.Tuple; @ApplicationScoped -public class PdpConsumerImpl implements PdpConsumer { +public class XacmlConsumerImpl implements XacmlConsumer { - private static final String DEFAULT_ABAC_URL = "http://abac-foreldrepenger.default/application/authorize"; + private static final String DEFAULT_ABAC_URL = "http://abac-foreldrepenger.teamabac/application/authorize"; private static final String PDP_ENDPOINT_URL_KEY = "abac.pdp.endpoint.url"; private static final String SYSTEMBRUKER_USERNAME = "systembruker.username"; private static final String SYSTEMBRUKER_PASSWORD = "systembruker.password"; // NOSONAR private static final int MAX_TOTAL_CONNECTIONS_PER_ROUTE = 20; private static final String MEDIA_TYPE = "application/xacml+json"; - private static final Logger LOG = LoggerFactory.getLogger(PdpConsumerImpl.class); + private static final Logger LOG = LoggerFactory.getLogger(XacmlConsumerImpl.class); private String pdpUrl; private String brukernavn; private String passord; private HttpHost target; - private Tuple activeConfiguration; + private HttpConf activeConfiguration; - PdpConsumerImpl() { + XacmlConsumerImpl() { } // CDI @Inject - public PdpConsumerImpl(@KonfigVerdi(value = PDP_ENDPOINT_URL_KEY, defaultVerdi = DEFAULT_ABAC_URL) String pdpUrl, - @KonfigVerdi(SYSTEMBRUKER_USERNAME) String brukernavn, - @KonfigVerdi(SYSTEMBRUKER_PASSWORD) String passord) { + public XacmlConsumerImpl(@KonfigVerdi(value = PDP_ENDPOINT_URL_KEY, defaultVerdi = DEFAULT_ABAC_URL) String pdpUrl, + @KonfigVerdi(SYSTEMBRUKER_USERNAME) String brukernavn, + @KonfigVerdi(SYSTEMBRUKER_PASSWORD) String passord) { this.pdpUrl = pdpUrl; this.brukernavn = brukernavn; this.passord = passord; @@ -79,7 +79,7 @@ public PdpConsumerImpl(@KonfigVerdi(value = PDP_ENDPOINT_URL_KEY, defaultVerdi = activeConfiguration = buildClient(); } - private Tuple buildClient() { + private HttpConf buildClient() { var cm = new PoolingHttpClientConnectionManager(); cm.setDefaultMaxPerRoute(MAX_TOTAL_CONNECTIONS_PER_ROUTE); cm.setMaxTotal(3 * MAX_TOTAL_CONNECTIONS_PER_ROUTE); // i tilfelle redirects @@ -103,7 +103,7 @@ private Tuple buildClient() { AuthCache authCache = new BasicAuthCache(); authCache.put(target, new BasicScheme()); - return new Tuple<>(client, authCache); + return new HttpConf(client, authCache); } @Override @@ -111,6 +111,37 @@ public XacmlResponseWrapper evaluate(XacmlRequestBuilder request) { return new XacmlResponseWrapper(execute(request.build())); } + public XacmlResponse evaluate(XacmlRequest request) { + return execute(request); + } + + private XacmlResponse execute(final XacmlRequest request) { + HttpConf active = activeConfiguration; + HttpPost post = new HttpPost(pdpUrl); + post.setHeader("Content-type", MEDIA_TYPE); + post.setEntity(new StringEntity(DefaultJsonMapper.toJson(request), java.nio.charset.StandardCharsets.UTF_8)); + + LOG.trace("PDP-request: {}", request); + + StatusLine statusLine = null; + HttpClientContext context = HttpClientContext.create(); + context.setAuthCache(active.cache); + try (CloseableHttpResponse response = active.client.execute(target, post, context)) { + statusLine = response.getStatusLine(); + if (HttpStatus.SC_OK == statusLine.getStatusCode()) { + final HttpEntity entity = response.getEntity(); + var xamclResponse = DefaultJsonMapper.MAPPER.readValue(entity.getContent(), XacmlResponse.class); + LOG.trace("PDP-response: {}", xamclResponse); + return xamclResponse; + } + } catch (IOException e) { + throw new TekniskException("F-091324", "Uventet IO-exception mot PDP fra ny client.", e); + } finally { + post.releaseConnection(); + } + throw new TekniskException("F-091324", "Uventet feil mot PDP fra ny client."); + } + JsonObject execute(JsonObject request) { HttpPost post = new HttpPost(pdpUrl); post.setHeader("Content-type", MEDIA_TYPE); @@ -118,12 +149,12 @@ JsonObject execute(JsonObject request) { LOG.trace("PDP-request: {}", request); - Tuple active = activeConfiguration; + HttpConf active = activeConfiguration; - Tuple response = call(active, post); - int statusCode = response.getElement1().getStatusCode(); + ResponseStatus response = call(active, post); + int statusCode = response.status.getStatusCode(); if (HttpStatus.SC_OK == statusCode) { - return response.getElement2(); + return response.json; } if (HttpStatus.SC_UNAUTHORIZED == statusCode) { synchronized (this) { @@ -133,15 +164,15 @@ JsonObject execute(JsonObject request) { // det skjer at PDP server f.eks. er resatt og eneste vi kan gjøre er å resette // vår egen tilstand. activeConfiguration = buildClient(); - LOG.warn("Feilet autentisering mot PDP, reinstansierer hele klienten for å fjerne all state"); + LOG.warn("F-563467: Feilet autentisering mot PDP, reinstansierer hele klienten for å fjerne all state"); } } active = activeConfiguration; response = call(active, post); - statusCode = response.getElement1().getStatusCode(); + statusCode = response.status.getStatusCode(); if (HttpStatus.SC_OK == statusCode) { - return response.getElement2(); + return response.json; } if (HttpStatus.SC_UNAUTHORIZED == statusCode) { throw new TekniskException("F-867412", @@ -150,13 +181,13 @@ JsonObject execute(JsonObject request) { } } throw new TekniskException("F-815365", - String.format("Mottok HTTP error fra PDP: HTTP %s - %s", statusCode, response.getElement1().getReasonPhrase())); + String.format("Mottok HTTP error fra PDP: HTTP %s - %s", statusCode, response.status.getReasonPhrase())); } - private Tuple call(Tuple active, HttpPost post) { - final CloseableHttpClient client = active.getElement1(); - final AuthCache authCache = active.getElement2(); + private ResponseStatus call(HttpConf active, HttpPost post) { + final CloseableHttpClient client = active.client; + final AuthCache authCache = active.cache; int retries = 2; StatusLine statusLine = null; @@ -170,7 +201,7 @@ private Tuple call(Tuple try (JsonReader reader = Json.createReader(entity.getContent())) { JsonObject jsonResponse = reader.readObject(); LOG.trace("PDP-response: {}", jsonResponse); - return new Tuple<>(statusLine, jsonResponse); + return new ResponseStatus(statusLine, jsonResponse); } } break; @@ -187,7 +218,7 @@ private Tuple call(Tuple } } - return new Tuple<>(statusLine, JsonValue.EMPTY_JSON_OBJECT); + return new ResponseStatus(statusLine, JsonValue.EMPTY_JSON_OBJECT); } private String getSchemaAndHostFromURL(String pdpUrl) { @@ -204,21 +235,53 @@ private String getSchemaAndHostFromURL(String pdpUrl) { * sender keepalive header. */ private static ConnectionKeepAliveStrategy createKeepAliveStrategy(int seconds) { - return new ConnectionKeepAliveStrategy() { - @Override - public long getKeepAliveDuration(HttpResponse response, HttpContext context) { - HeaderElementIterator it = new BasicHeaderElementIterator(response.headerIterator(HTTP.CONN_KEEP_ALIVE)); - while (it.hasNext()) { - HeaderElement he = it.nextElement(); - String param = he.getName(); - String value = he.getValue(); - if (value != null && param.equalsIgnoreCase("timeout")) { - return Long.parseLong(value) * 1000L; - } + return (response, context) -> { + HeaderElementIterator it = new BasicHeaderElementIterator(response.headerIterator(HTTP.CONN_KEEP_ALIVE)); + while (it.hasNext()) { + HeaderElement he = it.nextElement(); + String param = he.getName(); + String value = he.getValue(); + if (value != null && param.equalsIgnoreCase("timeout")) { + return Long.parseLong(value) * 1000L; } - return seconds * 1000L; } + return seconds * 1000L; }; } + private static class HttpConf { + private final CloseableHttpClient client; + private final AuthCache cache; + + public HttpConf(final CloseableHttpClient client, final AuthCache cache) { + this.client = client; + this.cache = cache; + } + + public CloseableHttpClient getClient() { + return client; + } + + public AuthCache getCache() { + return cache; + } + } + + private static class ResponseStatus { + private final StatusLine status; + private final JsonObject json; + + public ResponseStatus(final StatusLine status, final JsonObject json) { + this.status = status; + this.json = json; + } + + public StatusLine getStatus() { + return status; + } + + public JsonObject getJson() { + return json; + } + } } diff --git a/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp/XacmlRequestMapper.java b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp/XacmlRequestMapper.java new file mode 100644 index 000000000..4e832c214 --- /dev/null +++ b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp/XacmlRequestMapper.java @@ -0,0 +1,189 @@ +package no.nav.foreldrepenger.sikkerhet.abac.pdp; + +import java.nio.charset.StandardCharsets; +import java.text.ParseException; +import java.util.ArrayList; +import java.util.Base64; +import java.util.List; +import java.util.Set; +import java.util.stream.Collectors; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import com.nimbusds.jwt.SignedJWT; + +import no.nav.foreldrepenger.sikkerhet.abac.domene.AbacAttributtNøkkel; +import no.nav.foreldrepenger.sikkerhet.abac.domene.ActionType; +import no.nav.foreldrepenger.sikkerhet.abac.domene.IdSubject; +import no.nav.foreldrepenger.sikkerhet.abac.domene.IdToken; +import no.nav.foreldrepenger.sikkerhet.abac.domene.TokenType; +import no.nav.foreldrepenger.sikkerhet.abac.pdp2.xacml.XacmlAttributeSet; +import no.nav.foreldrepenger.sikkerhet.abac.pdp2.xacml.XacmlRequest; +import no.nav.foreldrepenger.sikkerhet.abac.pdp2.xacml.XacmlRequestBuilder; +import no.nav.foreldrepenger.sikkerhet.abac.pep.PdpRequest; +import no.nav.vedtak.util.env.Environment; + +public class XacmlRequestMapper { + + private static final Logger LOG = LoggerFactory.getLogger(PdpImpl.class); + private static final Environment ENV = Environment.current(); + private static final String DEFAULT_DOMENE_FORELDREPENGER = "foreldrepenger"; + + public static XacmlRequestBuilder lagXacmlRequestBuilder(PdpRequest pdpRequest) { + XacmlRequestBuilder xacmlBuilder = new XacmlRequestBuilder(); + + var identer = hentIdenter(pdpRequest); + + if (identer.isEmpty()) { + populerResourcesSet(xacmlBuilder, pdpRequest, null); + } else { + identer.forEach(ident -> populerResourcesSet(xacmlBuilder, pdpRequest, ident)); + } + + populerActionSet(xacmlBuilder, pdpRequest.getActionId()); + populerEnvironmentSet(xacmlBuilder, pdpRequest); + pdpRequest.getIdSubject().ifPresent(subject -> populerSubjectSet(xacmlBuilder, subject)); + return xacmlBuilder; + } + + private static XacmlRequest.Pair getPepIdInfo(final PdpRequest pdpRequest) { + return new XacmlRequest.Pair(AbacAttributtNøkkel.ENVIRONMENT_PEP_ID, pdpRequest.getPepId().orElse(getPepId())); + } + + private static XacmlRequest.Pair getTokenInfo(IdToken idToken) { + switch (idToken.getTokenType()) { + case OIDC: + case TOKENX: { + return getOidcTokenInfo(idToken); + } + case SAML: { + LOG.trace("Legger på token med type saml"); + return new XacmlRequest.Pair(AbacAttributtNøkkel.ENVIRONMENT_SAML_TOKEN, base64encode(idToken.getToken())); + } + } + throw new IllegalArgumentException("En gyldig token må være satt."); + } + + private static XacmlRequest.Pair getOidcTokenInfo(final IdToken idToken) { + String key; + var tokenType = idToken.getTokenType(); + if (tokenType.equals(TokenType.OIDC)) { + key = AbacAttributtNøkkel.ENVIRONMENT_OIDC_TOKEN_BODY; + } else if (tokenType.equals(TokenType.TOKENX)) { + key = AbacAttributtNøkkel.ENVIRONMENT_TOKENX_TOKEN_BODY; + } else { + throw new IllegalArgumentException(String.format("Ukjent token type: %s, forventer OIDC eller TOKENX", tokenType)); + } + LOG.trace("Legger ved {} token på {}", tokenType, key); + try { + return new XacmlRequest.Pair(key, SignedJWT.parse(idToken.getToken()).getPayload().toBase64URL().toString()); + } catch (ParseException e) { + throw new IllegalArgumentException("Ukjent token type"); + } + } + + private static List getSubjectInfo(IdSubject idSubject) { + List subjectPairs = new ArrayList<>(); + subjectPairs.add(new XacmlRequest.Pair(AbacAttributtNøkkel.SUBJECT_ID, idSubject.getSubjectId())); + subjectPairs.add(new XacmlRequest.Pair(AbacAttributtNøkkel.SUBJECT_TYPE, idSubject.getSubjectType())); + idSubject.getSubjectLevel().ifPresent(level -> subjectPairs.add(new XacmlRequest.Pair(AbacAttributtNøkkel.SUBJECT_LEVEL, level))); + return subjectPairs; + } + + static void populerSubjectSet(final XacmlRequestBuilder builder, final IdSubject subject) { + var actionAttributes = new XacmlAttributeSet(); + var subjectInfo = getSubjectInfo(subject); + subjectInfo.forEach(pair -> actionAttributes.addAttribute(pair.getAttributeId(), pair.getValue())); + builder.addSubjectAttributeSet(actionAttributes); + } + + static void populerActionSet(XacmlRequestBuilder builder, ActionType actionType) { + var actionAttributes = new XacmlAttributeSet(); + actionAttributes.addAttribute(AbacAttributtNøkkel.ACTION_ACTION_ID, actionType.getEksternKode()); + builder.addActionAttributeSet(actionAttributes); + } + + static void populerEnvironmentSet(XacmlRequestBuilder builder, PdpRequest pdpRequest) { + var environmentAttributes = new XacmlAttributeSet(); + var pepInfo = getPepIdInfo(pdpRequest); + environmentAttributes.addAttribute(pepInfo.getAttributeId(), pepInfo.getValue()); + var tokenType = getTokenInfo(pdpRequest.getIdToken()); + environmentAttributes.addAttribute(tokenType.getAttributeId(), tokenType.getValue()); + builder.addEnvironmentAttributeSet(environmentAttributes); + } + + private static String base64encode(String samlToken) { + return Base64.getEncoder().encodeToString(samlToken.getBytes(StandardCharsets.UTF_8)); + } + + private static String getPepId() { return ENV.appName(); } + + private static void populerResourcesSet(XacmlRequestBuilder xacmlBuilder, PdpRequest pdpRequest, Ident ident) { + Set aksjonspunktTyper = pdpRequest.getAksjonspunkter(); + if (aksjonspunktTyper.isEmpty()) { + xacmlBuilder.addResourceAttributeSet(byggRessursAttributter(pdpRequest, ident, null)); + } else { + for (String aksjonspunktType : aksjonspunktTyper) { + xacmlBuilder.addResourceAttributeSet(byggRessursAttributter(pdpRequest, ident, aksjonspunktType)); + } + } + } + + protected static XacmlAttributeSet byggRessursAttributter(PdpRequest pdpRequest, Ident ident, String aksjonsounktType) { + var resourceAttributeSet = new XacmlAttributeSet(); + + resourceAttributeSet.addAttribute(AbacAttributtNøkkel.RESOURCE_DOMENE, pdpRequest.getDomene().orElse(DEFAULT_DOMENE_FORELDREPENGER)); + resourceAttributeSet.addAttribute(AbacAttributtNøkkel.RESOURCE_RESOURCE_TYPE, pdpRequest.getResourceType()); + + pdpRequest.getFagsakStatus().ifPresent(s -> resourceAttributeSet.addAttribute(AbacAttributtNøkkel.RESOURCE_FORELDREPENGER_SAK_SAKSSTATUS, s.getEksternKode())); + pdpRequest.getBehandlingStatus().ifPresent(s -> resourceAttributeSet.addAttribute(AbacAttributtNøkkel.RESOURCE_FORELDREPENGER_SAK_BEHANDLINGSSTATUS, s.getEksternKode())); + pdpRequest.getAnsvarligSaksbenandler().ifPresent(s -> resourceAttributeSet.addAttribute(AbacAttributtNøkkel.RESOURCE_FORELDREPENGER_SAK_ANSVARLIG_SAKSBEHANDLER, s)); + + pdpRequest.getAnnenPartAktørId().ifPresent(s -> resourceAttributeSet.addAttribute(AbacAttributtNøkkel.RESOURCE_FORELDREPENGER_ANNEN_PART, s)); + pdpRequest.getAleneomsorg().ifPresent(s -> resourceAttributeSet.addAttribute(AbacAttributtNøkkel.RESOURCE_FORELDREPENGER_ALENEOMSORG, s.toString())); + + if (ident != null) { + resourceAttributeSet.addAttribute(ident.key, ident.ident); + } + + if (aksjonsounktType != null) { + resourceAttributeSet.addAttribute(AbacAttributtNøkkel.RESOURCE_FORELDREPENGER_SAK_AKSJONSPUNKT_TYPE, aksjonsounktType); + } + + return resourceAttributeSet; + } + + + private static List hentIdenter(PdpRequest pdpRequest) { + List identer = pdpRequest.getAktørIder() + .stream() + .map(it -> new Ident(AbacAttributtNøkkel.RESOURCE_PERSON_AKTOERID, it)) + .collect(Collectors.toList()); + + identer.addAll(pdpRequest.getPersonnummere() + .stream() + .map(it -> new Ident(AbacAttributtNøkkel.RESOURCE_PERSON_FNR, it)) + .collect(Collectors.toList())); + + return identer; + } + + public static class Ident { + private String key; + private String ident; + + public Ident(String key, String ident) { + this.key = key; + this.ident = ident; + } + + public String Key() { + return key; + } + + public String Ident() { + return ident; + } + } +} diff --git a/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp2/NyPdpImpl.java b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp2/NyPdpImpl.java new file mode 100644 index 000000000..0b06bb1d8 --- /dev/null +++ b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp2/NyPdpImpl.java @@ -0,0 +1,142 @@ +package no.nav.foreldrepenger.sikkerhet.abac.pdp2; + + +import java.util.List; +import java.util.Objects; +import java.util.Optional; +import java.util.stream.Collectors; + +import javax.enterprise.context.ApplicationScoped; +import javax.inject.Inject; +import javax.inject.Named; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import no.nav.foreldrepenger.sikkerhet.abac.domene.AbacResultat; +import no.nav.foreldrepenger.sikkerhet.abac.domene.Tilgangsbeslutning; +import no.nav.foreldrepenger.sikkerhet.abac.pdp.Pdp; +import no.nav.foreldrepenger.sikkerhet.abac.pdp2.xacml.Advice; +import no.nav.foreldrepenger.sikkerhet.abac.pdp2.xacml.Decision; +import no.nav.foreldrepenger.sikkerhet.abac.pdp2.xacml.XacmlResponse; +import no.nav.foreldrepenger.sikkerhet.abac.pep.PdpRequest; +import no.nav.vedtak.exception.TekniskException; + +@ApplicationScoped +@Named("nyPdp") +public class NyPdpImpl implements Pdp { + + private static final Logger LOG = LoggerFactory.getLogger(NyPdpImpl.class); + + private static final String POLICY_IDENTIFIER = "no.nav.abac.attributter.adviceorobligation.deny_policy"; + private static final String DENY_ADVICE_IDENTIFIER = "no.nav.abac.advices.reason.deny_reason"; + + private final NyXacmlConsumer pdpKlient; + + @Inject + public NyPdpImpl(NyXacmlConsumer pdpKlient) { + this.pdpKlient = pdpKlient; + } + + @Override + public Tilgangsbeslutning forespørTilgang(PdpRequest pdpRequest) { + XacmlResponse xacmlResponse = pdpKlient.evaluate(NyXacmlRequestMapper.lagXacmlRequest(pdpRequest)); + + var decisions = collectDecisions(xacmlResponse); + validerObligations(xacmlResponse.getResponse()); + var hovedresultat = lagResultat(decisions, xacmlResponse.getResponse()); + return new Tilgangsbeslutning(hovedresultat, decisions, pdpRequest); + } + + private List collectDecisions(final XacmlResponse nyResponse) { + var decisions = nyResponse.getResponse().stream().map(XacmlResponse.Response::getDecision).collect(Collectors.toList()); + valider(decisions); + return decisions; + } + + private static AbacResultat lagResultat(List decisions, List response) { + if (aggregatedDecision(decisions) == Decision.Permit) { + return AbacResultat.GODKJENT; + } + + var denyAdvices = response.stream() + .map(XacmlResponse.Response::getAssociatedAdvice) + .filter(Objects::nonNull) + .flatMap(List::stream) + .filter(advice -> advice.getId().equals(DENY_ADVICE_IDENTIFIER)) + .flatMap(advice -> advice.getAttributeAssignment().stream() + .filter(attributeAssignment -> attributeAssignment.getAttributeId().equals(POLICY_IDENTIFIER)) + .map(denyPolicy -> mapToAdvice(denyPolicy.getValue())) + .filter(Objects::nonNull)) + .collect(Collectors.toList()); + + if (LOG.isDebugEnabled()) { + LOG.debug("Deny fra PDP, advice var: " + toStringWithoutLineBreaks(denyAdvices)); + } + + if (denyAdvices.contains(Advice.DENY_KODE_6)) { + return AbacResultat.AVSLÅTT_KODE_6; + } + if (denyAdvices.contains(Advice.DENY_KODE_7)) { + return AbacResultat.AVSLÅTT_KODE_7; + } + if (denyAdvices.contains(Advice.DENY_EGEN_ANSATT)) { + return AbacResultat.AVSLÅTT_EGEN_ANSATT; + } + return AbacResultat.AVSLÅTT_ANNEN_ÅRSAK; + } + + private static Advice mapToAdvice(String adviceString) { + switch (adviceString) { + case "fp3_behandle_egen_ansatt": return Advice.DENY_EGEN_ANSATT; + case "fp2_behandle_kode7": return Advice.DENY_KODE_7; + case "fp1_behandle_kode6": return Advice.DENY_KODE_6; + default: return null; + } + } + + private static Decision aggregatedDecision(List decisions) { + if (decisions.stream().allMatch(dec -> dec.equals(Decision.Permit))) { + return Decision.Permit; + } + return Decision.Deny; + } + + private static void valider(final List decisions) { + if (decisions.stream().anyMatch(dec -> dec.equals(Decision.Indeterminate))) { + throw new TekniskException("F-080281", "Decision.Indeterminate fra PDP, dette skal aldri skje."); + } + } + + private static void validerObligations(List response) { + var obligations = response.stream() + .map(XacmlResponse.Response::getObligations) + .filter(Objects::nonNull) + .flatMap(List::stream).collect(Collectors.toList()); + if (!obligations.isEmpty()) { + throw new TekniskException("F-576027", + String.format("Mottok ukjente obligations fra PDP: %s", + obligations.stream() + .map(XacmlResponse.Assignments::getAttributeAssignment) + .filter(Objects::nonNull) + .flatMap(obligation -> obligation.stream() + .filter(Objects::nonNull) + .map(XacmlResponse.AttributeAssignment::getValue)) + .collect(Collectors.joining(", ")) + )); + } + } + + private static String removeLineBreaks(String string) { + return Optional.ofNullable(string) + .map(s -> s.replaceAll("(\\r|\\n)", "")) + .orElse(null); + } + + private static String toStringWithoutLineBreaks(Object object) { + return Optional.ofNullable(object) + .map(Object::toString) + .map(NyPdpImpl::removeLineBreaks) + .orElse(null); + } +} diff --git a/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp2/NyXacmlConsumer.java b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp2/NyXacmlConsumer.java new file mode 100644 index 000000000..9ba7732aa --- /dev/null +++ b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp2/NyXacmlConsumer.java @@ -0,0 +1,10 @@ +package no.nav.foreldrepenger.sikkerhet.abac.pdp2; + +import no.nav.foreldrepenger.sikkerhet.abac.pdp2.xacml.XacmlRequest; +import no.nav.foreldrepenger.sikkerhet.abac.pdp2.xacml.XacmlRequestBuilder; +import no.nav.foreldrepenger.sikkerhet.abac.pdp2.xacml.XacmlResponse; +import no.nav.foreldrepenger.sikkerhet.abac.pdp2.xacml.XacmlResponseWrapper; + +public interface NyXacmlConsumer { + XacmlResponse evaluate(XacmlRequest request); +} diff --git a/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp2/NyXacmlRequestMapper.java b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp2/NyXacmlRequestMapper.java new file mode 100644 index 000000000..ecb061c5c --- /dev/null +++ b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp2/NyXacmlRequestMapper.java @@ -0,0 +1,179 @@ +package no.nav.foreldrepenger.sikkerhet.abac.pdp2; + +import java.nio.charset.StandardCharsets; +import java.text.ParseException; +import java.util.ArrayList; +import java.util.Base64; +import java.util.List; +import java.util.stream.Collectors; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import com.nimbusds.jwt.SignedJWT; + +import no.nav.foreldrepenger.sikkerhet.abac.domene.AbacAttributtNøkkel; +import no.nav.foreldrepenger.sikkerhet.abac.domene.IdSubject; +import no.nav.foreldrepenger.sikkerhet.abac.domene.IdToken; +import no.nav.foreldrepenger.sikkerhet.abac.domene.TokenType; +import no.nav.foreldrepenger.sikkerhet.abac.pdp.PdpImpl; +import no.nav.foreldrepenger.sikkerhet.abac.pdp2.xacml.XacmlRequest; +import no.nav.foreldrepenger.sikkerhet.abac.pep.PdpRequest; +import no.nav.vedtak.util.env.Environment; + +public class NyXacmlRequestMapper { + + private static final Logger LOG = LoggerFactory.getLogger(PdpImpl.class); + private static final Environment ENV = Environment.current(); + private static final String DEFAULT_DOMENE_FORELDREPENGER = "foreldrepenger"; + + public static XacmlRequest lagXacmlRequest(PdpRequest pdpRequest) { + var actionAttributes = new XacmlRequest.AttributeSet( + List.of(getActionInfo(pdpRequest)) + ); + var envAttributes = new XacmlRequest.AttributeSet( + List.of( + getPepIdInfo(pdpRequest), + getTokenInfo(pdpRequest.getIdToken()) + ) + ); + var subjectAttributes = new XacmlRequest.AttributeSet( + pdpRequest.getIdSubject().map(NyXacmlRequestMapper::getSubjectInfo).orElse(List.of()) + ); + var resourceAttributes = getResourceInfo(pdpRequest); + var request = new XacmlRequest.Request(actionAttributes, envAttributes, resourceAttributes, subjectAttributes.getAttributt().isEmpty() ? null : subjectAttributes); + return new XacmlRequest(request); + } + + private static List getResourceInfo(final PdpRequest pdpRequest) { + var resourceAttributes = new ArrayList(); + var identer = hentIdenter(pdpRequest); + if (identer.isEmpty()) { + resourceAttributes.addAll(getResourceInfo(pdpRequest, null)); + } else { + identer.forEach(ident -> resourceAttributes.addAll(getResourceInfo(pdpRequest, ident))); + } + return resourceAttributes; + } + + private static List getResourceInfo(final PdpRequest pdpRequest, Ident ident) { + var resourceAttributes = new ArrayList(); + var aksjonspunktTyper = pdpRequest.getAksjonspunkter(); + if (aksjonspunktTyper.isEmpty()) { + resourceAttributes.add(getResourceInfo(pdpRequest, ident, null)); + } else { + aksjonspunktTyper.forEach(ap -> resourceAttributes.add(getResourceInfo(pdpRequest, ident, ap))); + } + return resourceAttributes; + } + + private static XacmlRequest.AttributeSet getResourceInfo(PdpRequest pdpRequest, Ident ident, String aksjonsounktType) { + var attributes = new ArrayList(); + + attributes.add(new XacmlRequest.Pair(AbacAttributtNøkkel.RESOURCE_DOMENE, pdpRequest.getDomene().orElse(DEFAULT_DOMENE_FORELDREPENGER))); + attributes.add(new XacmlRequest.Pair(AbacAttributtNøkkel.RESOURCE_RESOURCE_TYPE, pdpRequest.getResourceType())); + + pdpRequest.getFagsakStatus().ifPresent(s -> attributes.add(new XacmlRequest.Pair(AbacAttributtNøkkel.RESOURCE_FORELDREPENGER_SAK_SAKSSTATUS, s.getEksternKode()))); + pdpRequest.getBehandlingStatus().ifPresent(s -> attributes.add(new XacmlRequest.Pair(AbacAttributtNøkkel.RESOURCE_FORELDREPENGER_SAK_BEHANDLINGSSTATUS, s.getEksternKode()))); + pdpRequest.getAnsvarligSaksbenandler().ifPresent(s -> attributes.add(new XacmlRequest.Pair(AbacAttributtNøkkel.RESOURCE_FORELDREPENGER_SAK_ANSVARLIG_SAKSBEHANDLER, s))); + + pdpRequest.getAnnenPartAktørId().ifPresent(s -> attributes.add(new XacmlRequest.Pair(AbacAttributtNøkkel.RESOURCE_FORELDREPENGER_ANNEN_PART, s))); + pdpRequest.getAleneomsorg().ifPresent(s -> attributes.add(new XacmlRequest.Pair(AbacAttributtNøkkel.RESOURCE_FORELDREPENGER_ALENEOMSORG, s.toString()))); + + if (ident != null) { + attributes.add(new XacmlRequest.Pair(ident.key, ident.ident)); + } + + if (aksjonsounktType != null) { + attributes.add(new XacmlRequest.Pair(AbacAttributtNøkkel.RESOURCE_FORELDREPENGER_SAK_AKSJONSPUNKT_TYPE, aksjonsounktType)); + } + + return new XacmlRequest.AttributeSet(attributes); + } + + private static XacmlRequest.Pair getActionInfo(final PdpRequest pdpRequest) { + return new XacmlRequest.Pair(AbacAttributtNøkkel.ACTION_ACTION_ID, pdpRequest.getActionId().getEksternKode()); + } + + private static XacmlRequest.Pair getPepIdInfo(final PdpRequest pdpRequest) { + return new XacmlRequest.Pair(AbacAttributtNøkkel.ENVIRONMENT_PEP_ID, pdpRequest.getPepId().orElse(getPepId())); + } + + private static XacmlRequest.Pair getTokenInfo(IdToken idToken) { + switch (idToken.getTokenType()) { + case OIDC: + case TOKENX: { + return getOidcTokenInfo(idToken); + } + case SAML: { + LOG.trace("Legger på token med type saml"); + return new XacmlRequest.Pair(AbacAttributtNøkkel.ENVIRONMENT_SAML_TOKEN, base64encode(idToken.getToken())); + } + } + throw new IllegalArgumentException("En gyldig token må være satt."); + } + + private static XacmlRequest.Pair getOidcTokenInfo(final IdToken idToken) { + String key; + var tokenType = idToken.getTokenType(); + if (tokenType.equals(TokenType.OIDC)) { + key = AbacAttributtNøkkel.ENVIRONMENT_OIDC_TOKEN_BODY; + } else if (tokenType.equals(TokenType.TOKENX)) { + key = AbacAttributtNøkkel.ENVIRONMENT_TOKENX_TOKEN_BODY; + } else { + throw new IllegalArgumentException(String.format("Ukjent token type: %s, forventer OIDC eller TOKENX", tokenType)); + } + LOG.trace("Legger ved {} token på {}", tokenType, key); + try { + return new XacmlRequest.Pair(key, SignedJWT.parse(idToken.getToken()).getPayload().toBase64URL().toString()); + } catch (ParseException e) { + throw new IllegalArgumentException("Ukjent token type"); + } + } + + private static List getSubjectInfo(IdSubject idSubject) { + List subjectPairs = new ArrayList<>(); + subjectPairs.add(new XacmlRequest.Pair(AbacAttributtNøkkel.SUBJECT_ID, idSubject.getSubjectId())); + subjectPairs.add(new XacmlRequest.Pair(AbacAttributtNøkkel.SUBJECT_TYPE, idSubject.getSubjectType())); + idSubject.getSubjectLevel().ifPresent(level -> subjectPairs.add(new XacmlRequest.Pair(AbacAttributtNøkkel.SUBJECT_LEVEL, level))); + return subjectPairs; + } + private static String base64encode(String samlToken) { + return Base64.getEncoder().encodeToString(samlToken.getBytes(StandardCharsets.UTF_8)); + } + + private static String getPepId() { return ENV.appName(); } + + + private static List hentIdenter(PdpRequest pdpRequest) { + List identer = pdpRequest.getAktørIder() + .stream() + .map(it -> new Ident(AbacAttributtNøkkel.RESOURCE_PERSON_AKTOERID, it)) + .collect(Collectors.toList()); + + identer.addAll(pdpRequest.getPersonnummere() + .stream() + .map(it -> new Ident(AbacAttributtNøkkel.RESOURCE_PERSON_FNR, it)) + .collect(Collectors.toList())); + + return identer; + } + + public static class Ident { + private String key; + private String ident; + + public Ident(String key, String ident) { + this.key = key; + this.ident = ident; + } + + public String Key() { + return key; + } + + public String Ident() { + return ident; + } + } +} diff --git a/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp2/XamclJerseyRestKlient.java b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp2/XamclJerseyRestKlient.java new file mode 100644 index 000000000..5e761376c --- /dev/null +++ b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp2/XamclJerseyRestKlient.java @@ -0,0 +1,64 @@ +package no.nav.foreldrepenger.sikkerhet.abac.pdp2; + +import java.net.URI; + +import javax.enterprise.context.ApplicationScoped; +import javax.inject.Inject; +import javax.ws.rs.client.Entity; + +import org.glassfish.jersey.client.authentication.HttpAuthenticationFeature; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import no.nav.foreldrepenger.sikkerhet.abac.pdp2.xacml.XacmlRequest; +import no.nav.foreldrepenger.sikkerhet.abac.pdp2.xacml.XacmlResponse; +import no.nav.vedtak.felles.integrasjon.rest.jersey.AbstractJerseyRestClient; +import no.nav.vedtak.konfig.KonfigVerdi; + +@ApplicationScoped +class XamclJerseyRestKlient extends AbstractJerseyRestClient implements NyXacmlConsumer { + + private static final Logger LOG = LoggerFactory.getLogger(XamclJerseyRestKlient.class); + private static final String DEFAULT_ABAC_URL = "http://abac-foreldrepenger.teamabac/application/authorize"; + private static final String PDP_ENDPOINT_URL_KEY = "abac.pdp.endpoint.url"; + private static final String SYSTEMBRUKER_USERNAME = "systembruker.username"; + private static final String SYSTEMBRUKER_PASSWORD = "systembruker.password"; // NOSONAR + private static final String MEDIA_TYPE = "application/xacml+json"; + + private final URI endpoint; + private final HttpAuthenticationFeature basicAuthFeature; + + @Inject + public XamclJerseyRestKlient( + @KonfigVerdi(value = PDP_ENDPOINT_URL_KEY, defaultVerdi = DEFAULT_ABAC_URL) URI endpoint, + @KonfigVerdi(SYSTEMBRUKER_USERNAME) String brukernavn, + @KonfigVerdi(SYSTEMBRUKER_PASSWORD) String passord) { + super(); + this.endpoint = endpoint; + basicAuthFeature = HttpAuthenticationFeature.basic(brukernavn, passord); + } + + @Override + public XacmlResponse evaluate(final XacmlRequest request) { + try { + var target = client + .register(basicAuthFeature) + .target(endpoint); + LOG.info("Sjekker ABAC på: {}", target.getUri()); + var res = target + .request(MEDIA_TYPE) + .buildPost(Entity.entity(request, MEDIA_TYPE)) + .invoke(XacmlResponse.class); + LOG.info("ABAC svarte OK"); + return res; + } catch (Exception e) { + LOG.warn("Kunne ikke evaluere ABAC", e); + throw e; + } + } + + @Override + public String toString() { + return getClass().getSimpleName() + " [uri=" + endpoint + "]"; + } +} diff --git a/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp2/xacml/Advice.java b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp2/xacml/Advice.java new file mode 100644 index 000000000..5c8dc3cc7 --- /dev/null +++ b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp2/xacml/Advice.java @@ -0,0 +1,7 @@ +package no.nav.foreldrepenger.sikkerhet.abac.pdp2.xacml; + +public enum Advice { + DENY_KODE_6, + DENY_KODE_7, + DENY_EGEN_ANSATT +} diff --git a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/pdp/xacml/BiasedDecisionResponse.java b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp2/xacml/BiasedDecisionResponse.java similarity index 84% rename from felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/pdp/xacml/BiasedDecisionResponse.java rename to felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp2/xacml/BiasedDecisionResponse.java index d1903702f..c5f0685a4 100644 --- a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/pdp/xacml/BiasedDecisionResponse.java +++ b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp2/xacml/BiasedDecisionResponse.java @@ -1,6 +1,4 @@ -package no.nav.vedtak.sikkerhet.pdp.xacml; - -import no.nav.vedtak.sikkerhet.abac.Decision; +package no.nav.foreldrepenger.sikkerhet.abac.pdp2.xacml; public class BiasedDecisionResponse { diff --git a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/pdp/xacml/Category.java b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp2/xacml/Category.java similarity index 65% rename from felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/pdp/xacml/Category.java rename to felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp2/xacml/Category.java index 6b96c3f2b..a5eeb9636 100644 --- a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/pdp/xacml/Category.java +++ b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp2/xacml/Category.java @@ -1,4 +1,4 @@ -package no.nav.vedtak.sikkerhet.pdp.xacml; +package no.nav.foreldrepenger.sikkerhet.abac.pdp2.xacml; public enum Category { Resource, @@ -8,5 +8,5 @@ public enum Category { RecipientSubject, IntermediarySubject, Codebase, - RequestingMachine; + RequestingMachine } diff --git a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/Decision.java b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp2/xacml/Decision.java similarity index 72% rename from felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/Decision.java rename to felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp2/xacml/Decision.java index 7ca87046e..948997d47 100644 --- a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/Decision.java +++ b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp2/xacml/Decision.java @@ -1,4 +1,4 @@ -package no.nav.vedtak.sikkerhet.abac; +package no.nav.foreldrepenger.sikkerhet.abac.pdp2.xacml; public enum Decision { Permit, diff --git a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/pdp/xacml/Obligation.java b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp2/xacml/Obligation.java similarity index 89% rename from felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/pdp/xacml/Obligation.java rename to felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp2/xacml/Obligation.java index 645f7ea4a..1b45c74ab 100644 --- a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/pdp/xacml/Obligation.java +++ b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp2/xacml/Obligation.java @@ -1,4 +1,4 @@ -package no.nav.vedtak.sikkerhet.pdp.xacml; +package no.nav.foreldrepenger.sikkerhet.abac.pdp2.xacml; import javax.json.JsonObject; diff --git a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/pdp/xacml/XacmlAttributeSet.java b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp2/xacml/XacmlAttributeSet.java similarity index 96% rename from felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/pdp/xacml/XacmlAttributeSet.java rename to felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp2/xacml/XacmlAttributeSet.java index 3b9aacf20..59c29e695 100644 --- a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/pdp/xacml/XacmlAttributeSet.java +++ b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp2/xacml/XacmlAttributeSet.java @@ -1,4 +1,4 @@ -package no.nav.vedtak.sikkerhet.pdp.xacml; +package no.nav.foreldrepenger.sikkerhet.abac.pdp2.xacml; import java.util.Objects; diff --git a/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp2/xacml/XacmlRequest.java b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp2/xacml/XacmlRequest.java new file mode 100644 index 000000000..8c6623b90 --- /dev/null +++ b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp2/xacml/XacmlRequest.java @@ -0,0 +1,92 @@ +package no.nav.foreldrepenger.sikkerhet.abac.pdp2.xacml; + +import java.util.List; + +import com.fasterxml.jackson.annotation.JsonProperty; + +public class XacmlRequest { + + @JsonProperty("Request") + private final Request request; + + public XacmlRequest(final XacmlRequest.Request request) { + this.request = request; + } + + public XacmlRequest.Request getRequest() { + return request; + } + + public static class Request { + + @JsonProperty("Action") + private final AttributeSet action; + + @JsonProperty("Environment") + private final AttributeSet environment; + + @JsonProperty("Resource") + private final List resource; + + @JsonProperty("AccessSubject") + private final AttributeSet accessSubject; + + public Request(final AttributeSet action, final AttributeSet environment, final List resource, final AttributeSet accessSubject) { + this.action = action; + this.environment = environment; + this.resource = resource; + this.accessSubject = accessSubject; + } + + public AttributeSet getAction() { + return action; + } + + public AttributeSet getEnvironment() { + return environment; + } + + public List getResource() { + return resource; + } + + public AttributeSet getAccessSubject() { + return accessSubject; + } + } + + public static class AttributeSet { + @JsonProperty("Attributt") + private final List attributt; + + public AttributeSet(final List attributt) { + this.attributt = attributt; + } + + public List getAttributt() { + return attributt; + } + } + + public static class Pair { + + @JsonProperty("AttributeId") + private final String attributeId; + + @JsonProperty("Value") + private final String value; + + public Pair(final String attributeId, final String value) { + this.attributeId = attributeId; + this.value = value; + } + + public String getAttributeId() { + return attributeId; + } + + public String getValue() { + return value; + } + } +} diff --git a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/pdp/xacml/XacmlRequestBuilder.java b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp2/xacml/XacmlRequestBuilder.java similarity index 93% rename from felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/pdp/xacml/XacmlRequestBuilder.java rename to felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp2/xacml/XacmlRequestBuilder.java index 62fcbcbb5..04a570d56 100644 --- a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/pdp/xacml/XacmlRequestBuilder.java +++ b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp2/xacml/XacmlRequestBuilder.java @@ -1,4 +1,4 @@ -package no.nav.vedtak.sikkerhet.pdp.xacml; +package no.nav.foreldrepenger.sikkerhet.abac.pdp2.xacml; import java.util.ArrayList; import java.util.EnumMap; @@ -15,7 +15,7 @@ public class XacmlRequestBuilder { private static final String REQUEST = "Request"; - private Map> attributeSets = new EnumMap<>(Category.class); + private final Map> attributeSets = new EnumMap<>(Category.class); public XacmlRequestBuilder addResourceAttributeSet(XacmlAttributeSet attributeSet) { addAttributeSetInCategory(Category.Resource, attributeSet); diff --git a/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp2/xacml/XacmlResponse.java b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp2/xacml/XacmlResponse.java new file mode 100644 index 000000000..114ff65cd --- /dev/null +++ b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp2/xacml/XacmlResponse.java @@ -0,0 +1,137 @@ +package no.nav.foreldrepenger.sikkerhet.abac.pdp2.xacml; + +import java.util.List; + +import com.fasterxml.jackson.annotation.JsonProperty; + +public class XacmlResponse { + + @JsonProperty("Response") + private List response; + + public XacmlResponse() { + } + + public XacmlResponse(final List Response) { + this.response = Response; + } + + public List getResponse() { + return response; + } + + public void setResponse(final List response) { + this.response = response; + } + + public static class Response { + + @JsonProperty("Decision") + private Decision decision; + + @JsonProperty("AssociatedAdvice") + private List associatedAdvice; + + @JsonProperty("Obligations") + private List obligations; + + public Response() { + } + + public Response(final Decision decision, final List associatedAdvice, final List obligations) { + this.decision = decision; + this.associatedAdvice = associatedAdvice; + this.obligations = obligations; + } + + public Decision getDecision() { + return decision; + } + + public List getAssociatedAdvice() { + return associatedAdvice; + } + + public List getObligations() { + return obligations; + } + + public void setDecision(final Decision decision) { + this.decision = decision; + } + + public void setAssociatedAdvice(final List associatedAdvice) { + this.associatedAdvice = associatedAdvice; + } + + public void setObligations(final List obligations) { + this.obligations = obligations; + } + } + + public static class Assignments { + + @JsonProperty("Id") + private String id; + + @JsonProperty("AttributeAssignment") + private List attributeAssignment; + + public Assignments() { + } + + public Assignments(final String id, final List attributeAssignment) { + this.id = id; + this.attributeAssignment = attributeAssignment; + } + + public String getId() { + return id; + } + + public List getAttributeAssignment() { + return attributeAssignment; + } + + public void setId(final String id) { + this.id = id; + } + + public void setAttributeAssignment(final List attributeAssignment) { + this.attributeAssignment = attributeAssignment; + } + } + + public static class AttributeAssignment { + + @JsonProperty("AttributeId") + private String attributeId; + + @JsonProperty("Value") + private String value; + + public AttributeAssignment() { + } + + public AttributeAssignment(final String attributeId, final String value) { + this.attributeId = attributeId; + this.value = value; + } + + public String getAttributeId() { + return attributeId; + } + + public String getValue() { + return value; + } + + public void setAttributeId(final String attributeId) { + this.attributeId = attributeId; + } + + public void setValue(final String value) { + this.value = value; + } + } +} diff --git a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/pdp/xacml/XacmlResponseWrapper.java b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp2/xacml/XacmlResponseWrapper.java similarity index 98% rename from felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/pdp/xacml/XacmlResponseWrapper.java rename to felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp2/xacml/XacmlResponseWrapper.java index b5fbfc734..496550328 100644 --- a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/pdp/xacml/XacmlResponseWrapper.java +++ b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pdp2/xacml/XacmlResponseWrapper.java @@ -1,4 +1,4 @@ -package no.nav.vedtak.sikkerhet.pdp.xacml; +package no.nav.foreldrepenger.sikkerhet.abac.pdp2.xacml; import java.util.Collection; import java.util.Collections; @@ -10,8 +10,6 @@ import javax.json.JsonObject; import javax.json.JsonValue; -import no.nav.vedtak.sikkerhet.abac.Decision; - public class XacmlResponseWrapper { public static final String ATTRIBUTE_ASSIGNMENT = "AttributeAssignment"; diff --git a/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pep/PdpRequest.java b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pep/PdpRequest.java new file mode 100644 index 000000000..d41967f96 --- /dev/null +++ b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pep/PdpRequest.java @@ -0,0 +1,232 @@ +package no.nav.foreldrepenger.sikkerhet.abac.pep; + +import java.util.Collections; +import java.util.Objects; +import java.util.Optional; +import java.util.Set; + +import no.nav.foreldrepenger.sikkerhet.abac.domene.AbacBehandlingStatus; +import no.nav.foreldrepenger.sikkerhet.abac.domene.AbacFagsakStatus; +import no.nav.foreldrepenger.sikkerhet.abac.domene.ActionType; +import no.nav.foreldrepenger.sikkerhet.abac.domene.IdSubject; +import no.nav.foreldrepenger.sikkerhet.abac.domene.IdToken; + +public class PdpRequest { + + private String userId; + private IdToken idToken; + private ActionType actionId; + private String resourceType; + private String request; + private String domene; + private String pepId; + private IdSubject idSubject; + private Set aktørIder = Collections.emptySet(); + private Set personnummere = Collections.emptySet(); + private Set aksjonspunkter = Collections.emptySet(); + private AbacBehandlingStatus behandlingStatus; + private AbacFagsakStatus fagsakStatus; + private String ansvarligSaksbenandler; + private Boolean aleneomsorg; + private String annenPartAktørId; + + public static Builder builder() { + return new Builder(); + } + + private PdpRequest() {} + + private PdpRequest(final String userId, + final IdToken idToken, + final ActionType actionId, + final String resourceType, + final String request, + final String domene, + final String pepId) { + this.userId = userId; + this.idToken = idToken; + this.actionId = actionId; + this.resourceType = resourceType; + this.request = request; + this.domene = domene; + this.pepId = pepId; + } + + public String getUserId() { + return userId; + } + + public IdToken getIdToken() { + return idToken; + } + + public ActionType getActionId() { + return actionId; + } + + public String getResourceType() { + return resourceType; + } + + public String getRequest() { + return request; + } + + public Optional getDomene() { + return Optional.ofNullable(domene); + } + + public Optional getPepId() { + return Optional.ofNullable(pepId); + } + + public Optional getIdSubject() { + return Optional.ofNullable(idSubject); + } + + public void setIdSubject(final IdSubject idSubject) { + this.idSubject = idSubject; + } + + public Set getAktørIder() { + return aktørIder; + } + + public void setAktørIder(final Set aktørIder) { + this.aktørIder = aktørIder; + } + + public Set getPersonnummere() { + return personnummere; + } + + public void setPersonnummere(final Set personnummere) { + this.personnummere = personnummere; + } + + public Set getAksjonspunkter() { + return aksjonspunkter; + } + + public void setAksjonspunkter(final Set aksjonspunkter) { + this.aksjonspunkter = aksjonspunkter; + } + + public Optional getBehandlingStatus() { + return Optional.ofNullable(behandlingStatus); + } + + public void setBehandlingStatus(final AbacBehandlingStatus behandlingStatus) { + this.behandlingStatus = behandlingStatus; + } + + public Optional getFagsakStatus() { + return Optional.ofNullable(fagsakStatus); + } + + public void setFagsakStatus(final AbacFagsakStatus fagsakStatus) { + this.fagsakStatus = fagsakStatus; + } + + public Optional getAnsvarligSaksbenandler() { + return Optional.ofNullable(ansvarligSaksbenandler); + } + + public void setAnsvarligSaksbenandler(final String ansvarligSaksbenandler) { + this.ansvarligSaksbenandler = ansvarligSaksbenandler; + } + + public Optional getAleneomsorg() { + return Optional.ofNullable(aleneomsorg); + } + + public void setAleneomsorg(final Boolean aleneomsorg) { + this.aleneomsorg = aleneomsorg; + } + + public Optional getAnnenPartAktørId() { + return Optional.ofNullable(annenPartAktørId); + } + + public void setAnnenPartAktørId(final String annenPartAktørId) { + this.annenPartAktørId = annenPartAktørId; + } + + @Override + public String toString() { + return "PdpRequest{" + + "userId='MASKERT'" + + ", idToken=" + idToken + + ", actionId=" + actionId + + ", resourceType='" + resourceType + '\'' + + ", request='" + request + '\'' + + ", domene='" + domene + '\'' + + ", pepId='" + pepId + '\'' + + ", idSubject=" + idSubject + + ", aktørIder=" + aktørIder + + ", fnre=" + personnummere + + ", aksjonspunkter=" + aksjonspunkter + + ", behandlingStatus=" + behandlingStatus + + ", fagsakStatus=" + fagsakStatus + + ", ansvarligSaksbenandler='" + ansvarligSaksbenandler + '\'' + + ", aleneomsorg=" + aleneomsorg + + ", annenPartAktørId='MASKERT'" + + '}'; + } + + public static class Builder { + private final PdpRequest pdpRequest; + + public Builder() { + pdpRequest = new PdpRequest(); + } + + public Builder medUserId(String userId) { + pdpRequest.userId = userId; + return this; + } + + public Builder medIdToken(IdToken idToken) { + pdpRequest.idToken = idToken; + return this; + } + + public Builder medActionType(ActionType actionType) { + pdpRequest.actionId = actionType; + return this; + } + + public Builder medResourceType(String resourceType) { + pdpRequest.resourceType = resourceType; + return this; + } + + public Builder medRequest(String request) { + pdpRequest.request = request; + return this; + } + + public Builder medDomene(String domene) { + pdpRequest.domene = domene; + return this; + } + + public Builder medPepId(String pepId) { + pdpRequest.pepId = pepId; + return this; + } + + public PdpRequest build() { + validateBeforeBuild(); + return pdpRequest; + } + + private void validateBeforeBuild() { + Objects.requireNonNull(pdpRequest.userId, "userId"); + Objects.requireNonNull(pdpRequest.idToken, "idToken"); + Objects.requireNonNull(pdpRequest.actionId, "actionId"); + Objects.requireNonNull(pdpRequest.resourceType, "resourceType"); + Objects.requireNonNull(pdpRequest.request, "request"); + } + } +} diff --git a/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pep/Pep.java b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pep/Pep.java new file mode 100644 index 000000000..00affff91 --- /dev/null +++ b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pep/Pep.java @@ -0,0 +1,9 @@ +package no.nav.foreldrepenger.sikkerhet.abac.pep; + +import no.nav.foreldrepenger.sikkerhet.abac.domene.BeskyttRessursAttributer; +import no.nav.foreldrepenger.sikkerhet.abac.domene.Tilgangsbeslutning; + +public interface Pep { + + Tilgangsbeslutning vurderTilgang(BeskyttRessursAttributer attributter); +} diff --git a/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pep/PepImpl.java b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pep/PepImpl.java new file mode 100644 index 000000000..355ae08f4 --- /dev/null +++ b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pep/PepImpl.java @@ -0,0 +1,126 @@ +package no.nav.foreldrepenger.sikkerhet.abac.pep; + +import static no.nav.foreldrepenger.sikkerhet.abac.domene.AbacResultat.AVSLÅTT_ANNEN_ÅRSAK; +import static no.nav.foreldrepenger.sikkerhet.abac.domene.AbacResultat.GODKJENT; +import static no.nav.foreldrepenger.sikkerhet.abac.pdp2.xacml.Decision.Deny; +import static no.nav.foreldrepenger.sikkerhet.abac.pdp2.xacml.Decision.Permit; + +import java.util.ArrayList; +import java.util.List; +import java.util.Set; + +import javax.enterprise.context.ApplicationScoped; +import javax.enterprise.inject.Default; +import javax.inject.Inject; +import javax.inject.Named; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import no.nav.foreldrepenger.sikkerhet.abac.PdpRequestBuilder; +import no.nav.foreldrepenger.sikkerhet.abac.auditlog.AbacAuditlogger; +import no.nav.foreldrepenger.sikkerhet.abac.domene.BeskyttRessursAttributer; +import no.nav.foreldrepenger.sikkerhet.abac.domene.Tilgangsbeslutning; +import no.nav.foreldrepenger.sikkerhet.abac.pdp.Pdp; +import no.nav.foreldrepenger.sikkerhet.abac.pdp2.xacml.Decision; +import no.nav.vedtak.konfig.KonfigVerdi; + +@Default +@ApplicationScoped +public class PepImpl implements Pep { + private static final Logger LOG = LoggerFactory.getLogger(PepImpl.class); + + private final static String PIP = "pip.tjeneste.kan.kun.kalles.av.pdp.servicebruker"; + + private final Pdp pdp; + private final Pdp nyPdp; + private final PdpRequestBuilder builder; + private final Set pipUsers; + private final AbacAuditlogger auditlogger; + + @Inject + public PepImpl(@Named("oldPdp") Pdp pdp, + @Named("nyPdp") Pdp nyPdp, + PdpRequestBuilder pdpRequestBuilder, + AbacAuditlogger auditlogger, + @KonfigVerdi(value = "pip.users", required = false) String pipUsers) { + this.pdp = pdp; + this.nyPdp = nyPdp; + this.builder = pdpRequestBuilder; + this.auditlogger = auditlogger; + this.pipUsers = konfigurePipUsers(pipUsers); + } + + protected Set konfigurePipUsers(String pipUsers) { + if (pipUsers != null) { + return Set.of(pipUsers.toLowerCase().split(",")); + } + return Set.of(); + } + + @Override + public Tilgangsbeslutning vurderTilgang(BeskyttRessursAttributer ressursAttributer) { + var pdpRequest = builder.lagPdpRequest(ressursAttributer); + if (PIP.equals(ressursAttributer.getResource())) { + return vurderTilgangTilPipTjenesten(pdpRequest, ressursAttributer); + } + + var tilgangsbeslutning = pdp.forespørTilgang(pdpRequest); + + Tilgangsbeslutning nytilgangsbeslutning; + try { + nytilgangsbeslutning = nyPdp.forespørTilgang(pdpRequest); + sammenlignResultat(tilgangsbeslutning, nytilgangsbeslutning); + } catch (Exception e) { + LOG.info("Fikk exception fra ny pdp tjeneste.", e); + } + return tilgangsbeslutning; + } + + private void sammenlignResultat(final Tilgangsbeslutning tilgangsbeslutning, final Tilgangsbeslutning nytilgangsbeslutning) { + if (tilgangsbeslutning != null && nytilgangsbeslutning != null) { + if (!tilgangsbeslutning.getBeslutningKode().equals(nytilgangsbeslutning.getBeslutningKode())) { + LOG.info("PEP: Fikk forskjellig tilgangsbeslutning old:{} vs new:{}", tilgangsbeslutning.getBeslutningKode(), nytilgangsbeslutning.getBeslutningKode()); + } + if (tilgangsbeslutning.getDelbeslutninger().size() != nytilgangsbeslutning.getDelbeslutninger().size()) { + LOG.info("PEP: Antall delbeslutninger er forskjellig old:{} vs new:{}", tilgangsbeslutning.getDelbeslutninger(), nytilgangsbeslutning.getDelbeslutninger()); + } + } else { + LOG.info("Resultatene kan ikke være null, old:{} vs new:{}", tilgangsbeslutning, nytilgangsbeslutning); + } + } + + protected Tilgangsbeslutning vurderTilgangTilPipTjenesten(PdpRequest pdpRequest, BeskyttRessursAttributer ressursAttributer) { + String uid = pdpRequest.getUserId(); + if (pipUsers.contains(uid.toLowerCase())) { + return lagBeslutning(pdpRequest, Permit); + } + var tilgangsbeslutning = lagBeslutning(pdpRequest, Deny); + auditlogger.loggDeny(tilgangsbeslutning.getPdpRequest(), ressursAttributer); + return tilgangsbeslutning; + } + + protected Tilgangsbeslutning lagBeslutning(PdpRequest pdpRequest, Decision decision) { + int antallResources = antallResources(pdpRequest); + var decisions = lagDecisions(antallResources, decision); + return new Tilgangsbeslutning(decision.equals(Permit) ? GODKJENT : AVSLÅTT_ANNEN_ÅRSAK, decisions, pdpRequest); + } + + private int antallResources(PdpRequest pdpRequest) { + return Math.max(1, antallIdenter(pdpRequest)) * Math.max(1, pdpRequest.getAksjonspunkter().size()); + } + + private int antallIdenter(PdpRequest pdpRequest) { + return pdpRequest.getAktørIder().size() + + pdpRequest.getPersonnummere().size(); + } + + private List lagDecisions(int antallDecisions, Decision decision) { + List decisions = new ArrayList<>(); + for (int i = 0; i < antallDecisions; i++) { + decisions.add(decision); + } + return decisions; + } + +} diff --git a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/PepNektetTilgangException.java b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pep/PepNektetTilgangException.java similarity index 87% rename from felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/PepNektetTilgangException.java rename to felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pep/PepNektetTilgangException.java index afe5c0122..3050e5bdd 100644 --- a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/PepNektetTilgangException.java +++ b/felles/abac/src/main/java/no/nav/foreldrepenger/sikkerhet/abac/pep/PepNektetTilgangException.java @@ -1,4 +1,4 @@ -package no.nav.vedtak.sikkerhet.abac; +package no.nav.foreldrepenger.sikkerhet.abac.pep; import no.nav.vedtak.exception.ManglerTilgangException; diff --git a/felles/abac/src/main/resources/META-INF/beans.xml b/felles/abac/src/main/resources/META-INF/beans.xml new file mode 100644 index 000000000..4788e81b1 --- /dev/null +++ b/felles/abac/src/main/resources/META-INF/beans.xml @@ -0,0 +1,6 @@ + + + diff --git a/felles/sikkerhet/sikkerhet/src/test/java/no/nav/vedtak/sikkerhet/abac/BeskyttetRessursInterceptorTest.java b/felles/abac/src/test/java/no/nav/foreldrepenger/sikkerhet/abac/BeskyttetRessursInterceptorTest.java similarity index 51% rename from felles/sikkerhet/sikkerhet/src/test/java/no/nav/vedtak/sikkerhet/abac/BeskyttetRessursInterceptorTest.java rename to felles/abac/src/test/java/no/nav/foreldrepenger/sikkerhet/abac/BeskyttetRessursInterceptorTest.java index c90a86613..edffbf04d 100644 --- a/felles/sikkerhet/sikkerhet/src/test/java/no/nav/vedtak/sikkerhet/abac/BeskyttetRessursInterceptorTest.java +++ b/felles/abac/src/test/java/no/nav/foreldrepenger/sikkerhet/abac/BeskyttetRessursInterceptorTest.java @@ -1,4 +1,4 @@ -package no.nav.vedtak.sikkerhet.abac; +package no.nav.foreldrepenger.sikkerhet.abac; import static org.assertj.core.api.Assertions.assertThat; import static org.mockito.Mockito.mock; @@ -10,212 +10,112 @@ import java.lang.reflect.Method; import java.util.Collections; import java.util.Map; +import java.util.Set; import java.util.regex.Pattern; import javax.interceptor.InvocationContext; -import javax.security.auth.Subject; -import javax.ws.rs.Path; import org.assertj.core.api.Fail; -import org.junit.jupiter.api.AfterEach; -import org.junit.jupiter.api.BeforeAll; -import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; import org.mockito.ArgumentCaptor; import org.mockito.Mockito; -import ch.qos.logback.classic.Level; -import ch.qos.logback.classic.Logger; +import no.nav.foreldrepenger.sikkerhet.abac.auditlog.AbacAuditlogger; +import no.nav.foreldrepenger.sikkerhet.abac.domene.AbacDataAttributter; +import no.nav.foreldrepenger.sikkerhet.abac.domene.AbacResultat; +import no.nav.foreldrepenger.sikkerhet.abac.domene.ActionType; +import no.nav.foreldrepenger.sikkerhet.abac.domene.BeskyttRessursAttributer; +import no.nav.foreldrepenger.sikkerhet.abac.domene.IdToken; +import no.nav.foreldrepenger.sikkerhet.abac.domene.StandardAbacAttributtType; +import no.nav.foreldrepenger.sikkerhet.abac.domene.Tilgangsbeslutning; +import no.nav.foreldrepenger.sikkerhet.abac.domene.TokenType; +import no.nav.foreldrepenger.sikkerhet.abac.pdp2.xacml.Decision; +import no.nav.foreldrepenger.sikkerhet.abac.pep.PdpRequest; import no.nav.vedtak.exception.ManglerTilgangException; import no.nav.vedtak.log.audit.Auditdata; import no.nav.vedtak.log.audit.Auditlogger; -import no.nav.vedtak.log.util.MemoryAppender; -import no.nav.vedtak.sikkerhet.context.SubjectHandlerUtils; -import no.nav.vedtak.sikkerhet.context.ThreadLocalSubjectHandler; -import no.nav.vedtak.sikkerhet.domene.IdentType; -import no.nav.vedtak.sikkerhet.domene.OidcCredential; -import no.nav.vedtak.util.AppLoggerFactory; class BeskyttetRessursInterceptorTest { private static final String DUMMY_ID_TOKEN = "eyJraWQiOiI3Mzk2ZGIyZC1hN2MyLTQ1OGEtYjkzNC02ODNiNDgzYzUyNDIiLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdF9oYXNoIjoiRzJ1Zl83OW1TTUhHSWFfNjFxTnJfUSIsInN1YiI6IjA5MDg4NDIwNjcyIiwidmVyIjoiMS4wIiwiaXNzIjoiaHR0cHM6XC9cL3Rva2VuZGluZ3MuZGV2LWdjcC5uYWlzLmlvIiwibm9uY2UiOiJWR1dyS1Zsa3RXZ3hCdTlMZnNnMHliMmdMUVhoOHRaZHRaVTJBdWdPZVl3IiwiY2xpZW50X2lkIjoiZGV2LWZzczp0ZWFtZm9yZWxkcmVwZW5nZXI6ZnBzb2tuYWQtbW90dGFrIiwiYXVkIjoiZGV2LWZzczp0ZWFtZm9yZWxkcmVwZW5nZXI6ZnBpbmZvIiwiYWNyIjoiTGV2ZWw0IiwibmJmIjoxNjE2Njg1NDA0LCJpZHAiOiJodHRwczpcL1wvbmF2dGVzdGIyYy5iMmNsb2dpbi5jb21cL2QzOGYyNWFhLWVhYjgtNGM1MC05ZjI4LWViZjkyYzEyNTZmMlwvdjIuMFwvIiwiYXV0aF90aW1lIjoxNjE2Njg1NDAyLCJleHAiOjE2MTY2ODU3MDQsImlhdCI6MTYxNjY4NTQwNCwianRpIjoiNGMwNzBmMGUtNzI0Ny00ZTdjLWE1OWEtYzk2Yjk0NWMxZWZhIn0.OvzjuabvPHG9nlRVc_KlCUTHOdfeT9GtBkASUGIoMayWGeIBDkr4-jc9gu6uT_WQqi9IJnvPkWgP3veqYHcOHpapD1yVNaQpxlrJQ04yP6N3gvkn-DcrBRDb3II_6qSaPQ_us2PJBDPq2VD5TGrNOL6EFwr8FK3zglYr-PgjW016ULTcmx_7gdHmbiC5PEn1_OtGNxzoUhSGKoD3YtUWP0qdsXzoKyeFL5FG9uZMSrDHHiJBZQFXGL9OzBU49Zb2K-iEPqa9m91O2JZGkhebfLjCAIPLPN4J68GFyfTvtNkZO71znorjo-e1nWxz53Wkj---RDY3JlIqNqzqHTfJgQ"; private final RestClass tjeneste = new RestClass(); - private AktørDto aktør1 = new AktørDto("00000000000"); - private BehandlingIdDto behandlingIdDto = new BehandlingIdDto(1234L); + private final AktørDto aktør1 = new AktørDto("12345678901"); + private final BehandlingIdDto behandlingIdDto = new BehandlingIdDto(1234L); private final ArgumentCaptor auditdataCaptor = ArgumentCaptor.forClass(Auditdata.class); - private AbacAuditlogger noAuditLogger = new AbacAuditlogger(new Auditlogger(true, "felles", "felles-test")); - - private static MemoryAppender sniffer; - private static Logger LOG; - - @BeforeAll - static void beforeAll() { - LOG = Logger.class.cast(AppLoggerFactory.getSporingLogger(DefaultAbacSporingslogg.class)); - LOG.setLevel(Level.INFO); - sniffer = new MemoryAppender(LOG.getName()); - LOG.addAppender(sniffer); - sniffer.start(); - } - - @BeforeEach - void beforeEach() { - SubjectHandlerUtils.useSubjectHandler(ThreadLocalSubjectHandler.class); - SubjectHandlerUtils.setSubject(buildSubject()); - } - - private static Subject buildSubject() { - Subject subject = new SubjectHandlerUtils.SubjectBuilder("A000000", IdentType.InternBruker).getSubject(); - subject.getPublicCredentials().add(new OidcCredential(DUMMY_ID_TOKEN)); - return subject; - - } - - @AfterEach - void afterEach() { - sniffer.reset(); - SubjectHandlerUtils.unsetSubjectHandler(); - } - - @Test - void sporingslogg_skal_logge_parametre_som_går_til_pdp_til_sporingslogg_ved_permit() throws Exception { - skal_logge_parametre_som_går_til_pdp_til_sporingslogg_ved_permit(noAuditLogger); - assertLogged( - "action=/foo/aktoer_in abac_action=create abac_resource_type=pip.tjeneste.kan.kun.kalles.av.pdp.servicebruker aktorId=00000000000"); - } - @Test void auditlogg_skal_logge_parametre_som_går_til_pdp_til_sporingslogg_ved_permit() throws Exception { final Auditlogger auditlogger = mockAuditLogger(); final AbacAuditlogger abacAuditlogger = new AbacAuditlogger(auditlogger); - skal_logge_parametre_som_går_til_pdp_til_sporingslogg_ved_permit(abacAuditlogger); - assertGotPattern(auditlogger, - "CEF:0|felles|felles-test|1.0|audit:create|ABAC Sporingslogg|INFO|act=create duid=00000000000 end=__NUMBERS__ request=/foo/aktoer_in requestContext=pip.tjeneste.kan.kun.kalles.av.pdp.servicebruker suid=A000000"); - } - - private void skal_logge_parametre_som_går_til_pdp_til_sporingslogg_ved_permit(AbacAuditlogger abacAuditLogger) - throws NoSuchMethodException, Exception { BeskyttetRessursInterceptor interceptor = new BeskyttetRessursInterceptor(attributter -> { - PdpRequest pdpRequest = new PdpRequest(); - pdpRequest.put(NavAbacCommonAttributter.RESOURCE_FELLES_PERSON_AKTOERID_RESOURCE, Collections.singleton(aktør1.getAktørId())); - pdpRequest.put(NavAbacCommonAttributter.XACML10_ACTION_ACTION_ID, attributter.getActionType().getEksternKode()); - pdpRequest.put(NavAbacCommonAttributter.RESOURCE_FELLES_RESOURCE_TYPE, attributter.getResource()); - pdpRequest.put(PdpKlient.ENVIRONMENT_AUTH_TOKEN, attributter.getIdToken()); + PdpRequest pdpRequest = lagPdpRequest(attributter); return new Tilgangsbeslutning( AbacResultat.GODKJENT, Collections.singletonList(Decision.Permit), - pdpRequest); - }, new DefaultAbacSporingslogg(), abacAuditLogger, new TokenProvider() { - }); + pdpRequest); + }, abacAuditlogger); Method method = RestClass.class.getMethod("aktoerIn", AktørDto.class); InvocationContext ic = new TestInvocationContext(method, new Object[] { aktør1 }); interceptor.wrapTransaction(ic); - } - - @Test - void sporingslogg_skal_også_logge_input_parametre_til_sporingslogg_ved_permit() throws Exception { - skal_også_logge_input_parametre_til_sporingslogg_ved_permit(noAuditLogger); - assertLogged( - "action=/foo/behandling_id_in abac_action=create abac_resource_type=pip.tjeneste.kan.kun.kalles.av.pdp.servicebruker aktorId=00000000000 behandlingId=1234"); + assertGotPattern(auditlogger, + "CEF:0|felles|felles-test|1.0|audit:create|ABAC Sporingslogg|INFO|act=create duid=12345678901 end=__NUMBERS__ request=/foo/aktoer_in requestContext=pip.tjeneste.kan.kun.kalles.av.pdp.servicebruker suid=A000000"); } @Test void auditlogg_skal_også_logge_input_parametre_til_sporingslogg_ved_permit() throws Exception { final Auditlogger auditlogger = mockAuditLogger(); final AbacAuditlogger abacAuditlogger = new AbacAuditlogger(auditlogger); - skal_også_logge_input_parametre_til_sporingslogg_ved_permit(abacAuditlogger); - assertGotPattern(auditlogger, - "CEF:0|felles|felles-test|1.0|audit:create|ABAC Sporingslogg|INFO|act=create duid=00000000000 end=__NUMBERS__ flexString2=1234 flexString2Label=Behandling request=/foo/behandling_id_in requestContext=pip.tjeneste.kan.kun.kalles.av.pdp.servicebruker suid=A000000"); - } - - private void skal_også_logge_input_parametre_til_sporingslogg_ved_permit(AbacAuditlogger abacAuditLogger) throws Exception { BeskyttetRessursInterceptor interceptor = new BeskyttetRessursInterceptor(attributter -> { - PdpRequest pdpRequest = new PdpRequest(); - pdpRequest.put(NavAbacCommonAttributter.RESOURCE_FELLES_PERSON_AKTOERID_RESOURCE, (Collections.singleton(aktør1.getAktørId()))); - pdpRequest.put(NavAbacCommonAttributter.XACML10_ACTION_ACTION_ID, attributter.getActionType().getEksternKode()); - pdpRequest.put(NavAbacCommonAttributter.RESOURCE_FELLES_RESOURCE_TYPE, attributter.getResource()); - pdpRequest.put(PdpKlient.ENVIRONMENT_AUTH_TOKEN, attributter.getIdToken()); + PdpRequest pdpRequest = lagPdpRequest(attributter); return new Tilgangsbeslutning( AbacResultat.GODKJENT, Collections.singletonList(Decision.Permit), - pdpRequest); - }, new DefaultAbacSporingslogg(), abacAuditLogger, new TokenProvider() { - }); + pdpRequest); + }, abacAuditlogger); Method method = RestClass.class.getMethod("behandlingIdIn", BehandlingIdDto.class); InvocationContext ic = new TestInvocationContext(method, new Object[] { behandlingIdDto }); interceptor.wrapTransaction(ic); + assertGotPattern(auditlogger, + "CEF:0|felles|felles-test|1.0|audit:create|ABAC Sporingslogg|INFO|act=create duid=12345678901 end=__NUMBERS__ flexString2=1234 flexString2Label=Behandling request=/foo/behandling_id_in requestContext=pip.tjeneste.kan.kun.kalles.av.pdp.servicebruker suid=A000000"); } @Test - void sporingslogg_skal_ikke_logge_parametre_som_går_til_pdp_til_sporingslogg_ved_permit_når_det_er_konfigurert_unntak_i_annotering() + void auditlog_skal_ikke_logge_parametre_som_går_til_pdp_til_auditlogg_ved_permit_når_det_er_konfigurert_unntak_i_annotering() throws Exception { - skal_ikke_logge_parametre_som_går_til_pdp_til_sporingslogg_ved_permit_når_det_er_konfigurert_unntak_i_annotering(noAuditLogger); - assertThat(sniffer.countEntries("action")).isZero(); - } - @Test - void auditlog_skal_ikke_logge_parametre_som_går_til_pdp_til_sporingslogg_ved_permit_når_det_er_konfigurert_unntak_i_annotering() - throws Exception { final Auditlogger auditlogger = mockAuditLogger(); final AbacAuditlogger abacAuditlogger = new AbacAuditlogger(auditlogger); - skal_ikke_logge_parametre_som_går_til_pdp_til_sporingslogg_ved_permit_når_det_er_konfigurert_unntak_i_annotering(abacAuditlogger); - verify(auditlogger, never()).logg(Mockito.any()); - } - private void skal_ikke_logge_parametre_som_går_til_pdp_til_sporingslogg_ved_permit_når_det_er_konfigurert_unntak_i_annotering( - AbacAuditlogger abacAuditLogger) throws Exception { BeskyttetRessursInterceptor interceptor = new BeskyttetRessursInterceptor(attributter -> { - PdpRequest pdpRequest = new PdpRequest(); - pdpRequest.put(NavAbacCommonAttributter.RESOURCE_FELLES_PERSON_FNR, (Collections.singleton(aktør1.getAktørId()))); - pdpRequest.put(NavAbacCommonAttributter.XACML10_ACTION_ACTION_ID, attributter.getActionType().getEksternKode()); - pdpRequest.put(NavAbacCommonAttributter.RESOURCE_FELLES_RESOURCE_TYPE, attributter.getResource()); - pdpRequest.put(PdpKlient.ENVIRONMENT_AUTH_TOKEN, attributter.getIdToken()); + PdpRequest pdpRequest = lagPdpRequest(attributter); return new Tilgangsbeslutning( AbacResultat.GODKJENT, Collections.singletonList(Decision.Permit), - pdpRequest); - }, new DefaultAbacSporingslogg(), abacAuditLogger, new TokenProvider() { - }); + pdpRequest); + }, abacAuditlogger); Method method = RestClass.class.getMethod("utenSporingslogg", BehandlingIdDto.class); InvocationContext ic = new TestInvocationContext(method, new Object[] { behandlingIdDto }); interceptor.wrapTransaction(ic); - } - - @Test - void sporingslog_skal_logge_parametre_som_går_til_pdp_til_sporingslogg_ved_deny() throws Exception { - skal_logge_parametre_som_går_til_pdp_til_sporingslogg_ved_deny(noAuditLogger); - assertLogged( - "action=/foo/aktoer_in abac_action=create abac_resource_type=pip.tjeneste.kan.kun.kalles.av.pdp.servicebruker aktorId=00000000000 decision=Deny"); + verify(auditlogger, never()).logg(Mockito.any()); } @Test void auditlog_skal_logge_parametre_som_går_til_pdp_til_sporingslogg_ved_deny() throws Exception { final Auditlogger auditlogger = mockAuditLogger(); final AbacAuditlogger abacAuditlogger = new AbacAuditlogger(auditlogger); - skal_logge_parametre_som_går_til_pdp_til_sporingslogg_ved_deny(abacAuditlogger); - assertGotPattern(auditlogger, - "CEF:0|felles|felles-test|1.0|audit:create|ABAC Sporingslogg|WARN|act=create duid=00000000000 end=__NUMBERS__ request=/foo/aktoer_in requestContext=pip.tjeneste.kan.kun.kalles.av.pdp.servicebruker suid=A000000"); - } - - private void skal_logge_parametre_som_går_til_pdp_til_sporingslogg_ved_deny(AbacAuditlogger abacAuditLogger) throws Exception { BeskyttetRessursInterceptor interceptor = new BeskyttetRessursInterceptor(attributter -> { - PdpRequest pdpRequest = new PdpRequest(); - pdpRequest.put(NavAbacCommonAttributter.RESOURCE_FELLES_PERSON_FNR, (Collections.singleton(aktør1.getAktørId()))); - pdpRequest.put(NavAbacCommonAttributter.XACML10_ACTION_ACTION_ID, attributter.getActionType().getEksternKode()); - pdpRequest.put(NavAbacCommonAttributter.RESOURCE_FELLES_RESOURCE_TYPE, attributter.getResource()); - pdpRequest.put(PdpKlient.ENVIRONMENT_AUTH_TOKEN, attributter.getIdToken()); + PdpRequest pdpRequest = lagPdpRequest(attributter); return new Tilgangsbeslutning( AbacResultat.AVSLÅTT_KODE_6, Collections.singletonList(Decision.Deny), - pdpRequest); - }, new DefaultAbacSporingslogg(), abacAuditLogger, new TokenProvider() { - }); + pdpRequest); + }, abacAuditlogger); Method method = RestClass.class.getMethod("aktoerIn", AktørDto.class); InvocationContext ic = new TestInvocationContext(method, new Object[] { aktør1 }); @@ -226,6 +126,21 @@ void afterEach() { } catch (ManglerTilgangException e) { // FORVENTET } + assertGotPattern(auditlogger, + "CEF:0|felles|felles-test|1.0|audit:create|ABAC Sporingslogg|WARN|act=create duid=12345678901 end=__NUMBERS__ request=/foo/aktoer_in requestContext=pip.tjeneste.kan.kun.kalles.av.pdp.servicebruker suid=A000000"); + } + + private PdpRequest lagPdpRequest(final BeskyttRessursAttributer attributter) { + PdpRequest pdpRequest = PdpRequest.builder() + .medActionType(attributter.getActionType()) + .medResourceType(attributter.getResource()) + .medIdToken(IdToken.withToken(DUMMY_ID_TOKEN, TokenType.OIDC)) + .medUserId("A000000") + .medRequest(attributter.getRequestPath()) + .medDomene("foreldrepenger") + .build(); + pdpRequest.setAktørIder(Set.of(aktør1.getAktørId())); + return pdpRequest; } private void assertGotPattern(final Auditlogger auditlogger, String expected) { @@ -236,46 +151,34 @@ private void assertGotPattern(final Auditlogger auditlogger, String expected) { private static Auditlogger mockAuditLogger() { final Auditlogger auditlogger = mock(Auditlogger.class); - when(auditlogger.isEnabled()).thenReturn(true); when(auditlogger.getDefaultVendor()).thenReturn("felles"); when(auditlogger.getDefaultProduct()).thenReturn("felles-test"); return auditlogger; } - private static final String toAuditdataPattern(String s) { + private static String toAuditdataPattern(String s) { return Pattern.quote(s).replaceAll("__NUMBERS__", unquoteInReplacement("[0-9]*")); } - private static final String unquoteInReplacement(String s) { + private static String unquoteInReplacement(String s) { return "\\\\E" + s + "\\\\Q"; } - @Path("foo") static class RestClass { - @BeskyttetRessurs(action = BeskyttetRessursActionAttributt.CREATE, resource = "pip.tjeneste.kan.kun.kalles.av.pdp.servicebruker") - @Path("aktoer_in") - public void aktoerIn(@SuppressWarnings("unused") AktørDto param) { - - } - - @BeskyttetRessurs(action = BeskyttetRessursActionAttributt.CREATE, resource = "pip.tjeneste.kan.kun.kalles.av.pdp.servicebruker") - @Path("behandling_id_in") - public void behandlingIdIn(@SuppressWarnings("unused") BehandlingIdDto param) { + @BeskyttetRessurs(action = ActionType.CREATE, resource = "pip.tjeneste.kan.kun.kalles.av.pdp.servicebruker", path = "/foo/aktoer_in") + public void aktoerIn(@SuppressWarnings("unused") AktørDto param) { } - } - - @BeskyttetRessurs(action = BeskyttetRessursActionAttributt.CREATE, resource = "pip.tjeneste.kan.kun.kalles.av.pdp.servicebruker", sporingslogg = false) - @Path("uten_sporingslogg") - public void utenSporingslogg(@SuppressWarnings("unused") BehandlingIdDto param) { - - } + @BeskyttetRessurs(action = ActionType.CREATE, resource = "pip.tjeneste.kan.kun.kalles.av.pdp.servicebruker", path = "/foo/behandling_id_in") + public void behandlingIdIn(@SuppressWarnings("unused") BehandlingIdDto param) { } + @BeskyttetRessurs(action = ActionType.CREATE, resource = "pip.tjeneste.kan.kun.kalles.av.pdp.servicebruker", path = "/foo/uten_sporingslogg", sporingslogg = false) + public void utenSporingslogg(@SuppressWarnings("unused") BehandlingIdDto param) { } } private static class AktørDto implements AbacDto { - private String aktørId; + private final String aktørId; public AktørDto(String aktørId) { this.aktørId = aktørId; @@ -293,7 +196,7 @@ public AbacDataAttributter abacAttributter() { private static class BehandlingIdDto implements AbacDto { - private Long id; + private final Long id; public BehandlingIdDto(Long id) { this.id = id; @@ -307,7 +210,7 @@ public AbacDataAttributter abacAttributter() { private class TestInvocationContext implements InvocationContext { - private Method method; + private final Method method; private Object[] parameters; TestInvocationContext(Method method, Object[] parameters) { @@ -355,8 +258,4 @@ public Object proceed() throws Exception { return method.invoke(tjeneste, parameters); } } - - private static void assertLogged(String string) { - assertThat(sniffer.searchInfo(string)).isNotNull(); - } } diff --git a/felles/sikkerhet/sikkerhet/src/test/java/no/nav/vedtak/sikkerhet/pdp/PdpKlientImplTest.java b/felles/abac/src/test/java/no/nav/foreldrepenger/sikkerhet/abac/pdp/PdpImplTest.java similarity index 60% rename from felles/sikkerhet/sikkerhet/src/test/java/no/nav/vedtak/sikkerhet/pdp/PdpKlientImplTest.java rename to felles/abac/src/test/java/no/nav/foreldrepenger/sikkerhet/abac/pdp/PdpImplTest.java index 7684ba45a..0ec41bd99 100644 --- a/felles/sikkerhet/sikkerhet/src/test/java/no/nav/vedtak/sikkerhet/pdp/PdpKlientImplTest.java +++ b/felles/abac/src/test/java/no/nav/foreldrepenger/sikkerhet/abac/pdp/PdpImplTest.java @@ -1,4 +1,4 @@ -package no.nav.vedtak.sikkerhet.pdp; +package no.nav.foreldrepenger.sikkerhet.abac.pdp; import static org.assertj.core.api.Assertions.assertThat; import static org.mockito.ArgumentMatchers.any; @@ -9,11 +9,13 @@ import java.io.FileNotFoundException; import java.io.FileReader; import java.nio.charset.StandardCharsets; +import java.util.ArrayList; import java.util.Arrays; import java.util.Base64; import java.util.Collections; import java.util.HashSet; import java.util.List; +import java.util.Objects; import java.util.Set; import javax.json.Json; @@ -25,94 +27,85 @@ import org.junit.jupiter.api.Test; import org.mockito.ArgumentCaptor; +import no.nav.foreldrepenger.sikkerhet.abac.domene.AbacAttributtNøkkel; +import no.nav.foreldrepenger.sikkerhet.abac.domene.AbacResultat; +import no.nav.foreldrepenger.sikkerhet.abac.domene.ActionType; +import no.nav.foreldrepenger.sikkerhet.abac.domene.IdToken; +import no.nav.foreldrepenger.sikkerhet.abac.domene.Tilgangsbeslutning; +import no.nav.foreldrepenger.sikkerhet.abac.domene.TokenType; +import no.nav.foreldrepenger.sikkerhet.abac.pdp2.xacml.Decision; +import no.nav.foreldrepenger.sikkerhet.abac.pdp2.xacml.XacmlRequestBuilder; +import no.nav.foreldrepenger.sikkerhet.abac.pdp2.xacml.XacmlResponseWrapper; +import no.nav.foreldrepenger.sikkerhet.abac.pep.PdpRequest; import no.nav.vedtak.exception.VLException; -import no.nav.vedtak.sikkerhet.abac.AbacIdToken; -import no.nav.vedtak.sikkerhet.abac.AbacResultat; -import no.nav.vedtak.sikkerhet.abac.BeskyttetRessursActionAttributt; -import no.nav.vedtak.sikkerhet.abac.Decision; -import no.nav.vedtak.sikkerhet.abac.NavAbacCommonAttributter; -import no.nav.vedtak.sikkerhet.abac.PdpKlient; -import no.nav.vedtak.sikkerhet.abac.PdpRequest; -import no.nav.vedtak.sikkerhet.abac.Tilgangsbeslutning; -import no.nav.vedtak.sikkerhet.pdp.xacml.XacmlRequestBuilder; -import no.nav.vedtak.sikkerhet.pdp.xacml.XacmlResponseWrapper; - -public class PdpKlientImplTest { + +public class PdpImplTest { public static final String JWT_TOKEN = "eyAidHlwIjogIkpXVCIsICJraWQiOiAiU0gxSWVSU2sxT1VGSDNzd1orRXVVcTE5VHZRPSIsICJhbGciOiAiUlMyNTYiIH0.eyAiYXRfaGFzaCI6ICIyb2c1RGk5ZW9LeFhOa3VPd0dvVUdBIiwgInN1YiI6ICJzMTQyNDQzIiwgImF1ZGl0VHJhY2tpbmdJZCI6ICI1NTM0ZmQ4ZS03MmE2LTRhMWQtOWU5YS1iZmEzYThhMTljMDUtNjE2NjA2NyIsICJpc3MiOiAiaHR0cHM6Ly9pc3NvLXQuYWRlby5ubzo0NDMvaXNzby9vYXV0aDIiLCAidG9rZW5OYW1lIjogImlkX3Rva2VuIiwgImF1ZCI6ICJPSURDIiwgImNfaGFzaCI6ICJiVWYzcU5CN3dTdi0wVlN0bjhXLURnIiwgIm9yZy5mb3JnZXJvY2sub3BlbmlkY29ubmVjdC5vcHMiOiAiMTdhOGZiMzYtMGI0Ny00YzRkLWE4YWYtZWM4Nzc3Y2MyZmIyIiwgImF6cCI6ICJPSURDIiwgImF1dGhfdGltZSI6IDE0OTgwMzk5MTQsICJyZWFsbSI6ICIvIiwgImV4cCI6IDE0OTgwNDM1MTUsICJ0b2tlblR5cGUiOiAiSldUVG9rZW4iLCAiaWF0IjogMTQ5ODAzOTkxNSB9.S2DKQweQWZIfjaAT2UP9_dxrK5zqpXj8IgtjDLt5PVfLYfZqpWGaX-ckXG0GlztDVBlRK4ylmIYacTmEAUV_bRa_qWKRNxF83SlQRgHDSiE82SGv5WHOGEcAxf2w_d50XsgA2KDBCyv0bFIp9bCiKzP11uWPW0v4uIkyw2xVxMVPMCuiMUtYFh80sMDf9T4FuQcFd0LxoYcSFDEDlwCdRiF3ufw73qtMYBlNIMbTGHx-DZWkZV7CgukmCee79gwQIvGwdLrgaDrHFCJUDCbB1FFEaE3p3_BZbj0T54fCvL69aHyWm1zEd9Pys15yZdSh3oSSr4yVNIxhoF-nQ7gY-g;"; - private PdpKlient pdpKlient; - private PdpConsumer pdpConsumerMock; - private XacmlRequestBuilderTjenesteImpl xamlRequestBuilderTjeneste; + private Pdp pdpKlient; + private XacmlConsumer xacmlConsumerMock; @BeforeEach public void setUp() { - pdpConsumerMock = mock(PdpConsumer.class); - xamlRequestBuilderTjeneste = new XacmlRequestBuilderTjenesteImpl(); - pdpKlient = new PdpKlientImpl(pdpConsumerMock, xamlRequestBuilderTjeneste); + xacmlConsumerMock = mock(XacmlConsumer.class); + pdpKlient = new PdpImpl(xacmlConsumerMock); } @Test public void kallPdpMedSamlTokenNårIdTokenErSamlToken() throws Exception { - AbacIdToken idToken = AbacIdToken.withSamlToken("SAML"); XacmlResponseWrapper responseWrapper = createResponse("xacmlresponse.json"); ArgumentCaptor captor = ArgumentCaptor.forClass(XacmlRequestBuilder.class); - when(pdpConsumerMock.evaluate(captor.capture())).thenReturn(responseWrapper); - PdpRequest pdpRequest = lagPdpRequest(); - pdpRequest.put(NavAbacCommonAttributter.RESOURCE_FELLES_PERSON_FNR, Collections.singleton("12345678900")); - pdpRequest.put(PdpKlient.ENVIRONMENT_AUTH_TOKEN, idToken); + when(xacmlConsumerMock.evaluate(captor.capture())).thenReturn(responseWrapper); + PdpRequest pdpRequest = lagPdpRequest(IdToken.withToken("", TokenType.SAML)); + pdpRequest.setPersonnummere(Collections.singleton("12345678900")); pdpKlient.forespørTilgang(pdpRequest); - assertThat(captor.getValue().build().toString().contains(NavAbacCommonAttributter.ENVIRONMENT_FELLES_SAML_TOKEN)).isTrue(); + assertThat(captor.getValue().build().toString().contains(AbacAttributtNøkkel.ENVIRONMENT_SAML_TOKEN)).isTrue(); } @Test public void kallPdpUtenFnrResourceHvisPersonlisteErTom() throws FileNotFoundException { - AbacIdToken idToken = AbacIdToken.withOidcToken(JWT_TOKEN); XacmlResponseWrapper responseWrapper = createResponse("xacmlresponse.json"); ArgumentCaptor captor = ArgumentCaptor.forClass(XacmlRequestBuilder.class); - when(pdpConsumerMock.evaluate(captor.capture())).thenReturn(responseWrapper); + when(xacmlConsumerMock.evaluate(captor.capture())).thenReturn(responseWrapper); PdpRequest pdpRequest = lagPdpRequest(); - pdpRequest.put(NavAbacCommonAttributter.RESOURCE_FELLES_PERSON_FNR, Collections.emptySet()); - pdpRequest.put(PdpKlient.ENVIRONMENT_AUTH_TOKEN, idToken); + pdpKlient.forespørTilgang(pdpRequest); - assertThat(captor.getValue().build().toString().contains(NavAbacCommonAttributter.RESOURCE_FELLES_PERSON_FNR)).isFalse(); + assertThat(captor.getValue().build().toString().contains(AbacAttributtNøkkel.RESOURCE_PERSON_FNR)).isFalse(); } @Test public void kallPdpMedJwtTokenBodyNårIdTokenErJwtToken() throws Exception { - AbacIdToken idToken = AbacIdToken.withOidcToken(JWT_TOKEN); XacmlResponseWrapper responseWrapper = createResponse("xacmlresponse.json"); ArgumentCaptor captor = ArgumentCaptor.forClass(XacmlRequestBuilder.class); - when(pdpConsumerMock.evaluate(captor.capture())).thenReturn(responseWrapper); + when(xacmlConsumerMock.evaluate(captor.capture())).thenReturn(responseWrapper); PdpRequest pdpRequest = lagPdpRequest(); - pdpRequest.put(NavAbacCommonAttributter.RESOURCE_FELLES_PERSON_FNR, Collections.singleton("12345678900")); - pdpRequest.put(PdpKlient.ENVIRONMENT_AUTH_TOKEN, idToken); + pdpRequest.setPersonnummere(Collections.singleton("12345678900")); pdpKlient.forespørTilgang(pdpRequest); - assertThat(captor.getValue().build().toString().contains(NavAbacCommonAttributter.ENVIRONMENT_FELLES_OIDC_TOKEN_BODY)).isTrue(); + assertThat(captor.getValue().build().toString().contains(AbacAttributtNøkkel.ENVIRONMENT_OIDC_TOKEN_BODY)).isTrue(); } @Test public void kallPdpMedFlereAttributtSettNårPersonlisteStørreEnn1() throws FileNotFoundException { - AbacIdToken idToken = AbacIdToken.withOidcToken(JWT_TOKEN); XacmlResponseWrapper responseWrapper = createResponse("xacml3response.json"); ArgumentCaptor captor = ArgumentCaptor.forClass(XacmlRequestBuilder.class); - when(pdpConsumerMock.evaluate(captor.capture())).thenReturn(responseWrapper); + when(xacmlConsumerMock.evaluate(captor.capture())).thenReturn(responseWrapper); + + PdpRequest pdpRequest = lagPdpRequest(); Set personnr = new HashSet<>(); personnr.add("12345678900"); personnr.add("00987654321"); personnr.add("15151515151"); + pdpRequest.setPersonnummere(personnr); - PdpRequest pdpRequest = lagPdpRequest(); - pdpRequest.put(NavAbacCommonAttributter.RESOURCE_FELLES_PERSON_FNR, personnr); - pdpRequest.put(PdpKlient.ENVIRONMENT_AUTH_TOKEN, idToken); pdpKlient.forespørTilgang(pdpRequest); String xacmlRequestString = captor.getValue().build().toString(); @@ -124,19 +117,18 @@ public void kallPdpUtenFnrResourceHvisPersonlisteErTom() throws FileNotFoundExce @Test public void kallPdpMedFlereAttributtSettNårPersonlisteStørreEnn2() throws FileNotFoundException { - AbacIdToken idToken = AbacIdToken.withOidcToken(JWT_TOKEN); XacmlResponseWrapper responseWrapper = createResponse("xacmlresponse-array.json"); ArgumentCaptor captor = ArgumentCaptor.forClass(XacmlRequestBuilder.class); - when(pdpConsumerMock.evaluate(captor.capture())).thenReturn(responseWrapper); + when(xacmlConsumerMock.evaluate(captor.capture())).thenReturn(responseWrapper); Set personnr = new HashSet<>(); personnr.add("12345678900"); personnr.add("00987654321"); personnr.add("15151515151"); PdpRequest pdpRequest = lagPdpRequest(); - pdpRequest.put(NavAbacCommonAttributter.RESOURCE_FELLES_PERSON_FNR, personnr); - pdpRequest.put(PdpKlient.ENVIRONMENT_AUTH_TOKEN, idToken); + pdpRequest.setPersonnummere(personnr); + pdpKlient.forespørTilgang(pdpRequest); String xacmlRequestString = captor.getValue().build().toString(); @@ -148,25 +140,23 @@ public void kallPdpUtenFnrResourceHvisPersonlisteErTom() throws FileNotFoundExce @Test public void sporingsloggListeSkalHaSammeRekkefølgePåidenterSomXacmlRequest() throws FileNotFoundException { - AbacIdToken idToken = AbacIdToken.withOidcToken(JWT_TOKEN); XacmlResponseWrapper responseWrapper = createResponse("xacml3response.json"); ArgumentCaptor captor = ArgumentCaptor.forClass(XacmlRequestBuilder.class); - when(pdpConsumerMock.evaluate(captor.capture())).thenReturn(responseWrapper); + when(xacmlConsumerMock.evaluate(captor.capture())).thenReturn(responseWrapper); Set personnr = new HashSet<>(); personnr.add("12345678900"); personnr.add("00987654321"); personnr.add("15151515151"); PdpRequest pdpRequest = lagPdpRequest(); - pdpRequest.put(NavAbacCommonAttributter.RESOURCE_FELLES_PERSON_FNR, personnr); - pdpRequest.put(PdpKlient.ENVIRONMENT_AUTH_TOKEN, idToken); + pdpRequest.setPersonnummere(personnr); pdpKlient.forespørTilgang(pdpRequest); JsonObject xacmlRequest = captor.getValue().build(); JsonArray resourceArray = xacmlRequest.getJsonObject("Request").getJsonArray("Resource"); - List personer = pdpRequest.getListOfString(NavAbacCommonAttributter.RESOURCE_FELLES_PERSON_FNR); + List personer = new ArrayList<>(pdpRequest.getPersonnummere()); for (int i = 0; i < personer.size(); i++) { assertThat(resourceArray.get(i).toString().contains(personer.get(i))).isTrue(); @@ -174,70 +164,62 @@ public void kallPdpUtenFnrResourceHvisPersonlisteErTom() throws FileNotFoundExce } @Test - public void skal_base64_encode_saml_token() throws Exception { - AbacIdToken idToken = AbacIdToken.withSamlToken(""); - @SuppressWarnings("unused") - XacmlResponseWrapper responseWrapper = createResponse("xacmlresponse_multiple_obligation.json"); + public void skal_base64_encode_saml_token() { + PdpRequest pdpRequest = lagPdpRequest(IdToken.withToken("", TokenType.SAML)); + pdpRequest.setPersonnummere(Collections.singleton("12345678900")); - PdpRequest pdpRequest = lagPdpRequest(); - pdpRequest.put(NavAbacCommonAttributter.RESOURCE_FELLES_PERSON_FNR, Collections.singleton("12345678900")); - pdpRequest.put(PdpKlient.ENVIRONMENT_AUTH_TOKEN, idToken); + var builder = XacmlRequestMapper.lagXacmlRequestBuilder(pdpRequest); - XacmlRequestBuilder builder = xamlRequestBuilderTjeneste.lagXacmlRequestBuilder(pdpRequest); - ((PdpKlientImpl) pdpKlient).leggPåTokenInformasjon(builder, pdpRequest); JsonObject jsonRequest = builder.build(); JsonObject request = jsonRequest.getJsonObject("Request"); JsonObject environment = request.getJsonObject("Environment"); JsonArray attributes = environment.getJsonArray("Attribute"); - assertHasAttribute(attributes, NavAbacCommonAttributter.ENVIRONMENT_FELLES_SAML_TOKEN, - Base64.getEncoder().encodeToString("".getBytes(StandardCharsets.UTF_8))); + assertHasAttribute(attributes, + Base64.getEncoder().encodeToString("".getBytes(StandardCharsets.UTF_8))); attributes.getJsonObject(0).getJsonString("AttributeId"); } @Test public void skal_bare_ta_med_deny_advice() throws Exception { - AbacIdToken idToken = AbacIdToken.withSamlToken(""); XacmlResponseWrapper responseWrapper = createResponse("xacmlresponse_1deny_1permit.json"); ArgumentCaptor captor = ArgumentCaptor.forClass(XacmlRequestBuilder.class); - when(pdpConsumerMock.evaluate(captor.capture())).thenReturn(responseWrapper); + when(xacmlConsumerMock.evaluate(captor.capture())).thenReturn(responseWrapper); Set personnr = new HashSet<>(); personnr.add("12345678900"); personnr.add("07078515206"); PdpRequest pdpRequest = lagPdpRequest(); - pdpRequest.put(NavAbacCommonAttributter.RESOURCE_FELLES_PERSON_FNR, personnr); - pdpRequest.put(PdpKlient.ENVIRONMENT_AUTH_TOKEN, idToken); + pdpRequest.setPersonnummere(personnr); + Tilgangsbeslutning resultat = pdpKlient.forespørTilgang(pdpRequest); assertThat(resultat.getBeslutningKode()).isEqualTo(AbacResultat.AVSLÅTT_EGEN_ANSATT); assertThat(resultat.getDelbeslutninger()).isEqualTo(Arrays.asList(Decision.Deny, Decision.Permit)); } - private void assertHasAttribute(JsonArray attributes, String attributeName, String expectedValue) { + private void assertHasAttribute(JsonArray attributes, String expectedValue) { int size = attributes.size(); for (int i = 0; i < size; i++) { JsonObject obj = attributes.getJsonObject(i); - if (obj.getJsonString("AttributeId").getString().equals(attributeName) && obj.getJsonString("Value").getString().equals(expectedValue)) { + if (obj.getJsonString("AttributeId").getString().equals(AbacAttributtNøkkel.ENVIRONMENT_SAML_TOKEN) && obj.getJsonString("Value").getString().equals(expectedValue)) { return; } } - throw new AssertionError("Fant ikke " + attributeName + "=" + expectedValue + " i " + attributes); + throw new AssertionError("Fant ikke " + AbacAttributtNøkkel.ENVIRONMENT_SAML_TOKEN + "=" + expectedValue + " i " + attributes); } @Test public void skalFeileVedUkjentObligation() throws Exception { - AbacIdToken idToken = AbacIdToken.withSamlToken("SAML"); XacmlResponseWrapper responseWrapper = createResponse("xacmlresponse_multiple_obligation.json"); - when(pdpConsumerMock.evaluate(any(XacmlRequestBuilder.class))).thenReturn(responseWrapper); + when(xacmlConsumerMock.evaluate(any(XacmlRequestBuilder.class))).thenReturn(responseWrapper); String feilKode = ""; try { - PdpRequest pdpRequest = lagPdpRequest(); - pdpRequest.put(NavAbacCommonAttributter.RESOURCE_FELLES_PERSON_FNR, Collections.singleton("12345678900")); - pdpRequest.put(PdpKlient.ENVIRONMENT_AUTH_TOKEN, idToken); + PdpRequest pdpRequest = lagPdpRequest(IdToken.withToken("SAML", TokenType.SAML)); + pdpRequest.setPersonnummere(Collections.singleton("12345678900")); pdpKlient.forespørTilgang(pdpRequest); } catch (VLException e) { feilKode = e.getKode(); @@ -248,11 +230,10 @@ public void skalFeileVedUkjentObligation() throws Exception { @Test public void skal_håndtere_blanding_av_fnr_og_aktør_id() throws FileNotFoundException { - AbacIdToken idToken = AbacIdToken.withOidcToken(JWT_TOKEN); XacmlResponseWrapper responseWrapper = createResponse("xacml3response.json"); ArgumentCaptor captor = ArgumentCaptor.forClass(XacmlRequestBuilder.class); - when(pdpConsumerMock.evaluate(captor.capture())).thenReturn(responseWrapper); + when(xacmlConsumerMock.evaluate(captor.capture())).thenReturn(responseWrapper); Set personnr = new HashSet<>(); personnr.add("12345678900"); Set aktørId = new HashSet<>(); @@ -260,9 +241,8 @@ public void skalFeileVedUkjentObligation() throws Exception { aktørId.add("22222"); PdpRequest pdpRequest = lagPdpRequest(); - pdpRequest.put(NavAbacCommonAttributter.RESOURCE_FELLES_PERSON_FNR, personnr); - pdpRequest.put(NavAbacCommonAttributter.RESOURCE_FELLES_PERSON_AKTOERID_RESOURCE, aktørId); - pdpRequest.put(PdpKlient.ENVIRONMENT_AUTH_TOKEN, idToken); + pdpRequest.setPersonnummere(personnr); + pdpRequest.setAktørIder(aktørId); pdpKlient.forespørTilgang(pdpRequest); String xacmlRequestString = captor.getValue().build().toString(); @@ -276,16 +256,24 @@ public void skalFeileVedUkjentObligation() throws Exception { } private PdpRequest lagPdpRequest() { - PdpRequest request = new PdpRequest(); - request.put(NavAbacCommonAttributter.RESOURCE_FELLES_DOMENE, "foreldrepenger"); - request.put(NavAbacCommonAttributter.XACML10_ACTION_ACTION_ID, BeskyttetRessursActionAttributt.READ.getEksternKode()); - request.put(NavAbacCommonAttributter.RESOURCE_FELLES_RESOURCE_TYPE, "no.nav.abac.attributter.foreldrepenger.fagsak"); - return request; + return lagPdpRequest(null); + } + + private PdpRequest lagPdpRequest(IdToken idToken) { + return PdpRequest.builder() + .medPepId("testPep") + .medDomene("foreldrepenger") + .medActionType(ActionType.READ) + .medResourceType("no.nav.abac.attributter.foreldrepenger.fagsak") + .medRequest("/test/request") + .medUserId("testUser") + .medIdToken(idToken != null ? idToken : IdToken.withToken(JWT_TOKEN, TokenType.OIDC)) + .build(); } @SuppressWarnings("resource") private XacmlResponseWrapper createResponse(String jsonFile) throws FileNotFoundException { - File file = new File(getClass().getClassLoader().getResource(jsonFile).getFile()); + File file = new File(Objects.requireNonNull(getClass().getClassLoader().getResource(jsonFile)).getFile()); JsonReader reader = Json.createReader(new FileReader(file)); JsonObject jo = (JsonObject) reader.read(); return new XacmlResponseWrapper(jo); diff --git a/felles/sikkerhet/sikkerhet/src/test/java/no/nav/vedtak/sikkerhet/pdp/PdpConsumerImplTest.java b/felles/abac/src/test/java/no/nav/foreldrepenger/sikkerhet/abac/pdp/XacmlConsumerImplTest.java similarity index 83% rename from felles/sikkerhet/sikkerhet/src/test/java/no/nav/vedtak/sikkerhet/pdp/PdpConsumerImplTest.java rename to felles/abac/src/test/java/no/nav/foreldrepenger/sikkerhet/abac/pdp/XacmlConsumerImplTest.java index ce3126fb0..b64b9bb71 100644 --- a/felles/sikkerhet/sikkerhet/src/test/java/no/nav/vedtak/sikkerhet/pdp/PdpConsumerImplTest.java +++ b/felles/abac/src/test/java/no/nav/foreldrepenger/sikkerhet/abac/pdp/XacmlConsumerImplTest.java @@ -1,6 +1,5 @@ -package no.nav.vedtak.sikkerhet.pdp; +package no.nav.foreldrepenger.sikkerhet.abac.pdp; -import static no.nav.vedtak.log.util.MemoryAppender.sniff; import static org.assertj.core.api.Assertions.assertThat; import static org.assertj.core.api.Assertions.assertThatExceptionOfType; @@ -19,12 +18,11 @@ import com.sun.net.httpserver.HttpServer; +import ch.qos.logback.classic.Level; import no.nav.vedtak.exception.TekniskException; import no.nav.vedtak.log.util.MemoryAppender; -import no.nav.vedtak.sikkerhet.abac.DefaultAbacSporingslogg; -import no.nav.vedtak.util.AppLoggerFactory; -public class PdpConsumerImplTest { +public class XacmlConsumerImplTest { private static HttpServer httpServer; private static List responses = new ArrayList<>(); private static int port = 8000; @@ -38,7 +36,7 @@ public class PdpConsumerImplTest { @SuppressWarnings("resource") @BeforeAll public static void setUp() throws Exception { - logSniffer = sniff(AppLoggerFactory.getSporingLogger(DefaultAbacSporingslogg.class)); + logSniffer = MemoryAppender.sniff(XacmlConsumerImpl.class); httpServer = HttpServer.create(new InetSocketAddress(port), 0); httpServer.createContext(context, exchange -> { final Object[] resp = responses.remove(0); @@ -70,11 +68,11 @@ public void en_401_lager_ny_klient_og_logger_det() { responses.add(new Object[] { HttpURLConnection.HTTP_UNAUTHORIZED, "Unauthorized" }); responses.add(new Object[] { HttpURLConnection.HTTP_OK, response3 }); - PdpConsumerImpl impl = new PdpConsumerImpl(fakeEndPoint, "user", "pass"); + XacmlConsumerImpl impl = new XacmlConsumerImpl(fakeEndPoint, "user", "pass"); assertThat(impl.execute(jsonRequest).toString()).isEqualTo(response1); assertThat(impl.execute(jsonRequest).toString()).isEqualTo(response3); - assertThat(logSniffer.searchInfo("F-563467")).isNotNull(); + assertThat(logSniffer.search("F-563467", Level.WARN)).isNotEmpty(); } @Test @@ -86,11 +84,11 @@ public void en_401_lager_ny_klient_og_logger_det() { responses.add(new Object[] { HttpURLConnection.HTTP_UNAUTHORIZED, "Unauthorized" }); responses.add(new Object[] { HttpURLConnection.HTTP_UNAUTHORIZED, "Unauthorized" }); - PdpConsumerImpl impl = new PdpConsumerImpl(fakeEndPoint, "user", "pass"); + XacmlConsumerImpl impl = new XacmlConsumerImpl(fakeEndPoint, "user", "pass"); assertThat(impl.execute(jsonRequest).toString()).isEqualTo(response1); assertThatExceptionOfType(TekniskException.class).isThrownBy(() -> impl.execute(jsonRequest)) .withMessageStartingWith("F-867412"); - assertThat(logSniffer.searchInfo("F-563467")).isNotNull(); + assertThat(logSniffer.search("F-563467", Level.WARN)).isNotEmpty(); } } diff --git a/felles/abac/src/test/java/no/nav/foreldrepenger/sikkerhet/abac/pdp2/NyPdpImplTest.java b/felles/abac/src/test/java/no/nav/foreldrepenger/sikkerhet/abac/pdp2/NyPdpImplTest.java new file mode 100644 index 000000000..ef5abf4fa --- /dev/null +++ b/felles/abac/src/test/java/no/nav/foreldrepenger/sikkerhet/abac/pdp2/NyPdpImplTest.java @@ -0,0 +1,279 @@ +package no.nav.foreldrepenger.sikkerhet.abac.pdp2; + +import static org.assertj.core.api.Assertions.assertThat; +import static org.mockito.ArgumentMatchers.any; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.when; + +import java.io.File; +import java.io.IOException; +import java.nio.charset.StandardCharsets; +import java.util.Arrays; +import java.util.Base64; +import java.util.Collections; +import java.util.HashSet; +import java.util.Objects; +import java.util.Set; + +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.mockito.ArgumentCaptor; + +import no.nav.foreldrepenger.sikkerhet.abac.domene.AbacAttributtNøkkel; +import no.nav.foreldrepenger.sikkerhet.abac.domene.AbacResultat; +import no.nav.foreldrepenger.sikkerhet.abac.domene.ActionType; +import no.nav.foreldrepenger.sikkerhet.abac.domene.IdToken; +import no.nav.foreldrepenger.sikkerhet.abac.domene.Tilgangsbeslutning; +import no.nav.foreldrepenger.sikkerhet.abac.domene.TokenType; +import no.nav.foreldrepenger.sikkerhet.abac.pdp.Pdp; +import no.nav.foreldrepenger.sikkerhet.abac.pdp.XacmlConsumer; +import no.nav.foreldrepenger.sikkerhet.abac.pdp2.xacml.Decision; +import no.nav.foreldrepenger.sikkerhet.abac.pdp2.xacml.XacmlRequest; +import no.nav.foreldrepenger.sikkerhet.abac.pdp2.xacml.XacmlResponse; +import no.nav.foreldrepenger.sikkerhet.abac.pdp2.NyPdpImpl; +import no.nav.foreldrepenger.sikkerhet.abac.pdp2.NyXacmlRequestMapper; +import no.nav.foreldrepenger.sikkerhet.abac.pep.PdpRequest; +import no.nav.vedtak.exception.VLException; +import no.nav.foreldrepenger.felles.integrasjon.rest.DefaultJsonMapper; + +public class NyPdpImplTest { + + public static final String JWT_TOKEN = "eyAidHlwIjogIkpXVCIsICJraWQiOiAiU0gxSWVSU2sxT1VGSDNzd1orRXVVcTE5VHZRPSIsICJhbGciOiAiUlMyNTYiIH0.eyAiYXRfaGFzaCI6ICIyb2c1RGk5ZW9LeFhOa3VPd0dvVUdBIiwgInN1YiI6ICJzMTQyNDQzIiwgImF1ZGl0VHJhY2tpbmdJZCI6ICI1NTM0ZmQ4ZS03MmE2LTRhMWQtOWU5YS1iZmEzYThhMTljMDUtNjE2NjA2NyIsICJpc3MiOiAiaHR0cHM6Ly9pc3NvLXQuYWRlby5ubzo0NDMvaXNzby9vYXV0aDIiLCAidG9rZW5OYW1lIjogImlkX3Rva2VuIiwgImF1ZCI6ICJPSURDIiwgImNfaGFzaCI6ICJiVWYzcU5CN3dTdi0wVlN0bjhXLURnIiwgIm9yZy5mb3JnZXJvY2sub3BlbmlkY29ubmVjdC5vcHMiOiAiMTdhOGZiMzYtMGI0Ny00YzRkLWE4YWYtZWM4Nzc3Y2MyZmIyIiwgImF6cCI6ICJPSURDIiwgImF1dGhfdGltZSI6IDE0OTgwMzk5MTQsICJyZWFsbSI6ICIvIiwgImV4cCI6IDE0OTgwNDM1MTUsICJ0b2tlblR5cGUiOiAiSldUVG9rZW4iLCAiaWF0IjogMTQ5ODAzOTkxNSB9.S2DKQweQWZIfjaAT2UP9_dxrK5zqpXj8IgtjDLt5PVfLYfZqpWGaX-ckXG0GlztDVBlRK4ylmIYacTmEAUV_bRa_qWKRNxF83SlQRgHDSiE82SGv5WHOGEcAxf2w_d50XsgA2KDBCyv0bFIp9bCiKzP11uWPW0v4uIkyw2xVxMVPMCuiMUtYFh80sMDf9T4FuQcFd0LxoYcSFDEDlwCdRiF3ufw73qtMYBlNIMbTGHx-DZWkZV7CgukmCee79gwQIvGwdLrgaDrHFCJUDCbB1FFEaE3p3_BZbj0T54fCvL69aHyWm1zEd9Pys15yZdSh3oSSr4yVNIxhoF-nQ7gY-g;"; + private Pdp pdpKlient; + private NyXacmlConsumer xacmlConsumerMock; + + @BeforeEach + public void setUp() { + xacmlConsumerMock = mock(NyXacmlConsumer.class); + pdpKlient = new NyPdpImpl(xacmlConsumerMock); + } + + @Test + public void kallPdpMedSamlTokenNårIdTokenErSamlToken() throws Exception { + XacmlResponse xacmlResponse = createResponse("xacmlresponse.json"); + ArgumentCaptor captor = ArgumentCaptor.forClass(XacmlRequest.class); + + when(xacmlConsumerMock.evaluate(captor.capture())).thenReturn(xacmlResponse); + PdpRequest pdpRequest = lagPdpRequest(IdToken.withToken("", TokenType.SAML)); + pdpRequest.setPersonnummere(Collections.singleton("12345678900")); + + var tilgangsbeslutning = pdpKlient.forespørTilgang(pdpRequest); + var xacmlRequestString = DefaultJsonMapper.MAPPER.writeValueAsString(captor.getValue()); + + assertThat(xacmlRequestString.contains(AbacAttributtNøkkel.ENVIRONMENT_SAML_TOKEN)).isTrue(); + assertThat(tilgangsbeslutning.fikkTilgang()).isFalse(); + assertThat(tilgangsbeslutning.getDelbeslutninger()).hasSize(1); + assertThat(tilgangsbeslutning.getBeslutningKode()).isEqualTo(AbacResultat.AVSLÅTT_ANNEN_ÅRSAK); + } + + @Test + public void kallPdpUtenFnrResourceHvisPersonlisteErTom() throws Exception { + XacmlResponse xacmlResponse = createResponse("xacmlresponse.json"); + ArgumentCaptor captor = ArgumentCaptor.forClass(XacmlRequest.class); + + when(xacmlConsumerMock.evaluate(captor.capture())).thenReturn(xacmlResponse); + + PdpRequest pdpRequest = lagPdpRequest(); + + var tilgangsbeslutning = pdpKlient.forespørTilgang(pdpRequest); + var xacmlRequestString = DefaultJsonMapper.MAPPER.writeValueAsString(captor.getValue()); + + assertThat(xacmlRequestString.contains(AbacAttributtNøkkel.RESOURCE_PERSON_FNR)).isFalse(); + assertThat(tilgangsbeslutning.fikkTilgang()).isFalse(); + assertThat(tilgangsbeslutning.getDelbeslutninger()).hasSize(1); + assertThat(tilgangsbeslutning.getBeslutningKode()).isEqualTo(AbacResultat.AVSLÅTT_ANNEN_ÅRSAK); + } + + @Test + public void kallPdpMedJwtTokenBodyNårIdTokenErJwtToken() throws Exception { + XacmlResponse xacmlResponse = createResponse("xacmlresponse.json"); + ArgumentCaptor captor = ArgumentCaptor.forClass(XacmlRequest.class); + + when(xacmlConsumerMock.evaluate(captor.capture())).thenReturn(xacmlResponse); + + PdpRequest pdpRequest = lagPdpRequest(); + pdpRequest.setPersonnummere(Collections.singleton("12345678900")); + var tilgangsbeslutning = pdpKlient.forespørTilgang(pdpRequest); + + var xacmlRequestString = DefaultJsonMapper.MAPPER.writeValueAsString(captor.getValue()); + + assertThat(xacmlRequestString.contains(AbacAttributtNøkkel.ENVIRONMENT_OIDC_TOKEN_BODY)).isTrue(); + + assertThat(tilgangsbeslutning.fikkTilgang()).isFalse(); + assertThat(tilgangsbeslutning.getDelbeslutninger()).hasSize(1); + assertThat(tilgangsbeslutning.getBeslutningKode()).isEqualTo(AbacResultat.AVSLÅTT_ANNEN_ÅRSAK); + } + + @Test + public void kallPdpMedFlereAttributtSettNårPersonlisteStørreEnn1() throws Exception { + XacmlResponse xacmlResponse = createResponse("xacml3response.json"); + ArgumentCaptor captor = ArgumentCaptor.forClass(XacmlRequest.class); + + when(xacmlConsumerMock.evaluate(captor.capture())).thenReturn(xacmlResponse); + + PdpRequest pdpRequest = lagPdpRequest(); + Set personnr = new HashSet<>(); + personnr.add("12345678900"); + personnr.add("00987654321"); + personnr.add("15151515151"); + pdpRequest.setPersonnummere(personnr); + + var tilgangsbeslutning = pdpKlient.forespørTilgang(pdpRequest); + + var xacmlRequestString = DefaultJsonMapper.MAPPER.writeValueAsString(captor.getValue()); + + assertThat(xacmlRequestString.contains("12345678900")).isTrue(); + assertThat(xacmlRequestString.contains("00987654321")).isTrue(); + assertThat(xacmlRequestString.contains("15151515151")).isTrue(); + + assertThat(tilgangsbeslutning.fikkTilgang()).isFalse(); + assertThat(tilgangsbeslutning.getDelbeslutninger()).hasSize(3); + assertThat(tilgangsbeslutning.getBeslutningKode()).isEqualTo(AbacResultat.AVSLÅTT_ANNEN_ÅRSAK); + } + + @Test + public void kallPdpMedFlereAttributtSettNårPersonlisteStørreEnn2() throws Exception { + XacmlResponse xacmlResponse = createResponse("xacmlresponse-array.json"); + ArgumentCaptor captor = ArgumentCaptor.forClass(XacmlRequest.class); + + when(xacmlConsumerMock.evaluate(captor.capture())).thenReturn(xacmlResponse); + Set personnr = new HashSet<>(); + personnr.add("12345678900"); + personnr.add("00987654321"); + personnr.add("15151515151"); + + PdpRequest pdpRequest = lagPdpRequest(); + pdpRequest.setPersonnummere(personnr); + + var tilgangsbeslutning = pdpKlient.forespørTilgang(pdpRequest); + + var xacmlRequestString = DefaultJsonMapper.MAPPER.writeValueAsString(captor.getValue()); + + assertThat(xacmlRequestString.contains("12345678900")).isTrue(); + assertThat(xacmlRequestString.contains("00987654321")).isTrue(); + assertThat(xacmlRequestString.contains("15151515151")).isTrue(); + + assertThat(tilgangsbeslutning.fikkTilgang()).isFalse(); + assertThat(tilgangsbeslutning.getDelbeslutninger()).hasSize(1); + assertThat(tilgangsbeslutning.getBeslutningKode()).isEqualTo(AbacResultat.AVSLÅTT_ANNEN_ÅRSAK); + } + + @Test + public void sporingsloggListeSkalHaSammeRekkefølgePåidenterSomXacmlRequest() throws Exception { + XacmlResponse xacmlResponse = createResponse("xacml3response.json"); + ArgumentCaptor captor = ArgumentCaptor.forClass(XacmlRequest.class); + when(xacmlConsumerMock.evaluate(captor.capture())).thenReturn(xacmlResponse); + Set personnr = new HashSet<>(); + personnr.add("12345678900"); + personnr.add("00987654321"); + personnr.add("15151515151"); + + PdpRequest pdpRequest = lagPdpRequest(); + pdpRequest.setPersonnummere(personnr); + + var tilgangsbeslutning = pdpKlient.forespørTilgang(pdpRequest); + + var xacmlRequestString = DefaultJsonMapper.MAPPER.writeValueAsString(captor.getValue()); + + assertThat(xacmlRequestString.contains("12345678900")).isTrue(); + assertThat(xacmlRequestString.contains("00987654321")).isTrue(); + assertThat(xacmlRequestString.contains("15151515151")).isTrue(); + + assertThat(tilgangsbeslutning.fikkTilgang()).isFalse(); + assertThat(tilgangsbeslutning.getDelbeslutninger()).hasSize(3); + assertThat(tilgangsbeslutning.getBeslutningKode()).isEqualTo(AbacResultat.AVSLÅTT_ANNEN_ÅRSAK); + } + + @Test + public void skal_base64_encode_saml_token() throws Exception { + var samlToken = ""; + PdpRequest pdpRequest = lagPdpRequest(IdToken.withToken(samlToken, TokenType.SAML)); + pdpRequest.setPersonnummere(Collections.singleton("12345678900")); + var request = NyXacmlRequestMapper.lagXacmlRequest(pdpRequest); + var xacmlRequestString = DefaultJsonMapper.MAPPER.writeValueAsString(request); + assertThat(xacmlRequestString.contains(Base64.getEncoder().encodeToString(samlToken.getBytes(StandardCharsets.UTF_8)))).isTrue(); + } + + @Test + public void skal_bare_ta_med_deny_advice() throws Exception { + XacmlResponse xacmlResponse = createResponse("xacmlresponse_1deny_1permit.json"); + ArgumentCaptor captor = ArgumentCaptor.forClass(XacmlRequest.class); + when(xacmlConsumerMock.evaluate(captor.capture())).thenReturn(xacmlResponse); + Set personnr = new HashSet<>(); + personnr.add("12345678900"); + personnr.add("07078515206"); + + PdpRequest pdpRequest = lagPdpRequest(); + pdpRequest.setPersonnummere(personnr); + + Tilgangsbeslutning resultat = pdpKlient.forespørTilgang(pdpRequest); + assertThat(resultat.getBeslutningKode()).isEqualTo(AbacResultat.AVSLÅTT_EGEN_ANSATT); + assertThat(resultat.getDelbeslutninger()).isEqualTo(Arrays.asList(Decision.Deny, Decision.Permit)); + } + + + @Test + public void skalFeileVedUkjentObligation() throws Exception { + XacmlResponse xacmlResponse = createResponse("xacmlresponse_multiple_obligation.json"); + when(xacmlConsumerMock.evaluate(any(XacmlRequest.class))).thenReturn(xacmlResponse); + String feilKode = ""; + try { + PdpRequest pdpRequest = lagPdpRequest(IdToken.withToken("SAML", TokenType.SAML)); + pdpRequest.setPersonnummere(Collections.singleton("12345678900")); + pdpKlient.forespørTilgang(pdpRequest); + } catch (VLException e) { + feilKode = e.getKode(); + } + assertThat(feilKode).isEqualTo("F-576027"); + } + + @Test + public void skal_håndtere_blanding_av_fnr_og_aktør_id() throws Exception { + + XacmlResponse xacmlResponse = createResponse("xacml3response.json"); + ArgumentCaptor captor = ArgumentCaptor.forClass(XacmlRequest.class); + + when(xacmlConsumerMock.evaluate(captor.capture())).thenReturn(xacmlResponse); + Set personnr = new HashSet<>(); + personnr.add("12345678900"); + Set aktørId = new HashSet<>(); + aktørId.add("11111"); + aktørId.add("22222"); + + PdpRequest pdpRequest = lagPdpRequest(); + pdpRequest.setPersonnummere(personnr); + pdpRequest.setAktørIder(aktørId); + pdpKlient.forespørTilgang(pdpRequest); + + String xacmlRequestString = DefaultJsonMapper.MAPPER.writeValueAsString(captor.getValue()); + + assertThat(xacmlRequestString.contains("{\"AttributeId\":\"no.nav.abac.attributter.resource.felles.person.fnr\",\"Value\":\"12345678900\"}")) + .isTrue(); + assertThat(xacmlRequestString + .contains("{\"AttributeId\":\"no.nav.abac.attributter.resource.felles.person.aktoerId_resource\",\"Value\":\"11111\"}")).isTrue(); + assertThat(xacmlRequestString + .contains("{\"AttributeId\":\"no.nav.abac.attributter.resource.felles.person.aktoerId_resource\",\"Value\":\"22222\"}")).isTrue(); + } + + private PdpRequest lagPdpRequest() { + return lagPdpRequest(null); + } + + private PdpRequest lagPdpRequest(IdToken idToken) { + return PdpRequest.builder() + .medDomene("foreldrepenger") + .medActionType(ActionType.READ) + .medResourceType("no.nav.abac.attributter.foreldrepenger.fagsak") + .medRequest("/test/request") + .medUserId("testUser") + .medIdToken(idToken != null ? idToken : IdToken.withToken(JWT_TOKEN, TokenType.OIDC)) + .build(); + } + + @SuppressWarnings("resource") + private XacmlResponse createResponse(String jsonFile) throws IOException { + File file = new File(Objects.requireNonNull(getClass().getClassLoader().getResource(jsonFile)).getFile()); + return DefaultJsonMapper.MAPPER.readValue(file, XacmlResponse.class); + } + +} diff --git a/felles/abac/src/test/java/no/nav/foreldrepenger/sikkerhet/abac/pdp2/XacmlRequestMapperTest.java b/felles/abac/src/test/java/no/nav/foreldrepenger/sikkerhet/abac/pdp2/XacmlRequestMapperTest.java new file mode 100644 index 000000000..8bf5adf30 --- /dev/null +++ b/felles/abac/src/test/java/no/nav/foreldrepenger/sikkerhet/abac/pdp2/XacmlRequestMapperTest.java @@ -0,0 +1,226 @@ +package no.nav.foreldrepenger.sikkerhet.abac.pdp2; + +import static org.assertj.core.api.Assertions.assertThat; + +import java.nio.charset.StandardCharsets; +import java.util.Base64; +import java.util.Set; +import java.util.stream.Collectors; + +import org.junit.jupiter.api.Test; + +import no.nav.foreldrepenger.sikkerhet.abac.domene.AbacAttributtNøkkel; +import no.nav.foreldrepenger.sikkerhet.abac.domene.AbacBehandlingStatus; +import no.nav.foreldrepenger.sikkerhet.abac.domene.AbacFagsakStatus; +import no.nav.foreldrepenger.sikkerhet.abac.domene.ActionType; +import no.nav.foreldrepenger.sikkerhet.abac.domene.IdSubject; +import no.nav.foreldrepenger.sikkerhet.abac.domene.IdToken; +import no.nav.foreldrepenger.sikkerhet.abac.domene.TokenType; +import no.nav.foreldrepenger.sikkerhet.abac.pdp2.xacml.XacmlRequest; +import no.nav.foreldrepenger.sikkerhet.abac.pep.PdpRequest; + +class XacmlRequestMapperTest { + public static final String JWT_TOKEN = "eyAidHlwIjogIkpXVCIsICJraWQiOiAiU0gxSWVSU2sxT1VGSDNzd1orRXVVcTE5VHZRPSIsICJhbGciOiAiUlMyNTYiIH0.eyAiYXRfaGFzaCI6ICIyb2c1RGk5ZW9LeFhOa3VPd0dvVUdBIiwgInN1YiI6ICJzMTQyNDQzIiwgImF1ZGl0VHJhY2tpbmdJZCI6ICI1NTM0ZmQ4ZS03MmE2LTRhMWQtOWU5YS1iZmEzYThhMTljMDUtNjE2NjA2NyIsICJpc3MiOiAiaHR0cHM6Ly9pc3NvLXQuYWRlby5ubzo0NDMvaXNzby9vYXV0aDIiLCAidG9rZW5OYW1lIjogImlkX3Rva2VuIiwgImF1ZCI6ICJPSURDIiwgImNfaGFzaCI6ICJiVWYzcU5CN3dTdi0wVlN0bjhXLURnIiwgIm9yZy5mb3JnZXJvY2sub3BlbmlkY29ubmVjdC5vcHMiOiAiMTdhOGZiMzYtMGI0Ny00YzRkLWE4YWYtZWM4Nzc3Y2MyZmIyIiwgImF6cCI6ICJPSURDIiwgImF1dGhfdGltZSI6IDE0OTgwMzk5MTQsICJyZWFsbSI6ICIvIiwgImV4cCI6IDE0OTgwNDM1MTUsICJ0b2tlblR5cGUiOiAiSldUVG9rZW4iLCAiaWF0IjogMTQ5ODAzOTkxNSB9.S2DKQweQWZIfjaAT2UP9_dxrK5zqpXj8IgtjDLt5PVfLYfZqpWGaX-ckXG0GlztDVBlRK4ylmIYacTmEAUV_bRa_qWKRNxF83SlQRgHDSiE82SGv5WHOGEcAxf2w_d50XsgA2KDBCyv0bFIp9bCiKzP11uWPW0v4uIkyw2xVxMVPMCuiMUtYFh80sMDf9T4FuQcFd0LxoYcSFDEDlwCdRiF3ufw73qtMYBlNIMbTGHx-DZWkZV7CgukmCee79gwQIvGwdLrgaDrHFCJUDCbB1FFEaE3p3_BZbj0T54fCvL69aHyWm1zEd9Pys15yZdSh3oSSr4yVNIxhoF-nQ7gY-g;"; + + @Test + void testMapper() { + var request = NyXacmlRequestMapper.lagXacmlRequest(lagPdpRequestBuilder().build()); + validerBasisActionAttributter(request); + validerBasisEnvironmentAttributter(request); + validerBasisResourceAttributter(request, 1, 2); + assertThat(request.getRequest().getAccessSubject()).isNull(); + } + + @Test + void testMapperMedSubject() { + var pdpRequest = lagPdpRequestBuilder().build(); + pdpRequest.setIdSubject(IdSubject.with("srvTest", "InternalUser", "Level")); + var request = NyXacmlRequestMapper.lagXacmlRequest(pdpRequest); + + validerBasisActionAttributter(request); + validerBasisEnvironmentAttributter(request); + validerBasisResourceAttributter(request, 1, 2); + + validerBasisSubjectAttributter(request, 3); + assertThat(request.getRequest().getAccessSubject().getAttributt().get(2).getAttributeId()).isEqualTo(AbacAttributtNøkkel.SUBJECT_LEVEL); + assertThat(request.getRequest().getAccessSubject().getAttributt().get(2).getValue()).isEqualTo("Level"); + } + + @Test + void testMapperMedSubjectUtenLevel() { + var pdpRequest = lagPdpRequestBuilder().build(); + pdpRequest.setIdSubject(IdSubject.with("srvTest", "InternalUser")); + var request = NyXacmlRequestMapper.lagXacmlRequest(pdpRequest); + + validerBasisActionAttributter(request); + validerBasisEnvironmentAttributter(request); + validerBasisResourceAttributter(request, 1, 2); + + validerBasisSubjectAttributter(request, 2); + assertThat(request.getRequest().getAccessSubject().getAttributt()).noneSatisfy(attribut -> assertThat(attribut.getAttributeId()).isEqualTo(AbacAttributtNøkkel.SUBJECT_LEVEL)); + } + + @Test + void testMapperMedToAktørIder() { + var pdpRequest = lagPdpRequestBuilder().build(); + var aktørIder = Set.of("1234", "5678"); + pdpRequest.setAktørIder(aktørIder); + var request = NyXacmlRequestMapper.lagXacmlRequest(pdpRequest); + + validerBasisActionAttributter(request); + validerBasisEnvironmentAttributter(request); + validerBasisResourceAttributter(request, 2, 3); + validerResourceAttributter(aktørIder, request, AbacAttributtNøkkel.RESOURCE_PERSON_AKTOERID); + } + + @Test + void testMapperMedToFnrOgToAktørIder() { + var pdpRequest = lagPdpRequestBuilder().build(); + var aktørIder = Set.of("1234", "5678"); + pdpRequest.setAktørIder(aktørIder); + var personnummere = Set.of("12345678", "09876543"); + pdpRequest.setPersonnummere(personnummere); + var request = NyXacmlRequestMapper.lagXacmlRequest(pdpRequest); + + validerBasisActionAttributter(request); + validerBasisEnvironmentAttributter(request); + validerBasisResourceAttributter(request, 4, 3); + + validerResourceAttributter(aktørIder, request, AbacAttributtNøkkel.RESOURCE_PERSON_AKTOERID); + validerResourceAttributter(personnummere, request, AbacAttributtNøkkel.RESOURCE_PERSON_FNR); + } + + @Test + void testMapperMedToFnrOgToAktørIderToAksjonspunkter() { + var pdpRequest = lagPdpRequestBuilder().build(); + var aktørIder = Set.of("1234", "5678"); + pdpRequest.setAktørIder(aktørIder); + var personnummere = Set.of("12345678", "09876543"); + pdpRequest.setPersonnummere(personnummere); + var aksjonspunkter = Set.of("5080", "5074"); + pdpRequest.setAksjonspunkter(aksjonspunkter); + var request = NyXacmlRequestMapper.lagXacmlRequest(pdpRequest); + + validerBasisActionAttributter(request); + validerBasisEnvironmentAttributter(request); + validerBasisResourceAttributter(request, 8, 4); + validerResourceAttributter(aktørIder, request, AbacAttributtNøkkel.RESOURCE_PERSON_AKTOERID); + validerResourceAttributter(personnummere, request, AbacAttributtNøkkel.RESOURCE_PERSON_FNR); + validerResourceAttributter(aksjonspunkter, request, AbacAttributtNøkkel.RESOURCE_FORELDREPENGER_SAK_AKSJONSPUNKT_TYPE); + } + + @Test + void testMapperMedAlleResurserSatt() { + var pepId = "testPepId"; + var domene = "foreldre"; + var resourceType = "no.nav.abac.attributter.foreldrepenger.fagsak"; + var pdpRequest = lagPdpRequestBuilder() + .medPepId(pepId) + .medDomene(domene) + .medResourceType(resourceType) + .medIdToken(IdToken.withToken("SAML", TokenType.SAML)) + .medUserId("srvTest") + .build(); + var aktørIder = Set.of("1234"); + pdpRequest.setAktørIder(aktørIder); + var personnummere = Set.of("12345678"); + pdpRequest.setPersonnummere(personnummere); + var aksjonspunkter = Set.of("5080"); + pdpRequest.setAksjonspunkter(aksjonspunkter); + pdpRequest.setAleneomsorg(true); + var annenPartAktørId = "09876543"; + pdpRequest.setAnnenPartAktørId(annenPartAktørId); + var ansvarligSaksbenandler = "Katarzyna"; + pdpRequest.setAnsvarligSaksbenandler(ansvarligSaksbenandler); + pdpRequest.setBehandlingStatus(AbacBehandlingStatus.OPPRETTET); + pdpRequest.setFagsakStatus(AbacFagsakStatus.OPPRETTET); + var request = NyXacmlRequestMapper.lagXacmlRequest(pdpRequest); + + validerBasisActionAttributter(request); + validerBasisEnvironmentAttributter(request, pepId, base64encode("SAML"), AbacAttributtNøkkel.ENVIRONMENT_SAML_TOKEN); + validerBasisResourceAttributter(request, 2, 9); + validerResourceAttributter(aktørIder, request, AbacAttributtNøkkel.RESOURCE_PERSON_AKTOERID); + validerResourceAttributter(personnummere, request, AbacAttributtNøkkel.RESOURCE_PERSON_FNR); + validerResourceAttributter(aksjonspunkter, request, AbacAttributtNøkkel.RESOURCE_FORELDREPENGER_SAK_AKSJONSPUNKT_TYPE); + validerResourceAttributter(Set.of(domene), request, AbacAttributtNøkkel.RESOURCE_DOMENE); + validerResourceAttributter(Set.of(resourceType), request, AbacAttributtNøkkel.RESOURCE_RESOURCE_TYPE); + validerResourceAttributter(Set.of("true"), request, AbacAttributtNøkkel.RESOURCE_FORELDREPENGER_ALENEOMSORG); + validerResourceAttributter(Set.of(annenPartAktørId), request, AbacAttributtNøkkel.RESOURCE_FORELDREPENGER_ANNEN_PART); + validerResourceAttributter(Set.of(ansvarligSaksbenandler), request, AbacAttributtNøkkel.RESOURCE_FORELDREPENGER_SAK_ANSVARLIG_SAKSBEHANDLER); + validerResourceAttributter(Set.of(AbacBehandlingStatus.OPPRETTET.getEksternKode()), request, AbacAttributtNøkkel.RESOURCE_FORELDREPENGER_SAK_BEHANDLINGSSTATUS); + validerResourceAttributter(Set.of(AbacFagsakStatus.OPPRETTET.getEksternKode()), request, AbacAttributtNøkkel.RESOURCE_FORELDREPENGER_SAK_SAKSSTATUS); + } + + private void validerResourceAttributter(final Set expectedValues, final XacmlRequest request, String attributtKey) { + var resultatVerdier = request.getRequest().getResource() + .stream() + .flatMap(it -> it.getAttributt().stream() + .filter(s -> s.getAttributeId().equals(attributtKey)) + .map(XacmlRequest.Pair::getValue)) + .collect(Collectors.toSet()); + assertThat(resultatVerdier).containsAll(expectedValues); + } + + private void validerBasisSubjectAttributter(final XacmlRequest request, int antall) { + assertThat(request.getRequest()).isNotNull(); + assertThat(request.getRequest().getAccessSubject()).isNotNull(); + assertThat(request.getRequest().getAccessSubject().getAttributt()).isNotNull(); + assertThat(request.getRequest().getAccessSubject().getAttributt()).hasSize(antall); + assertThat(request.getRequest().getAccessSubject().getAttributt().get(0).getAttributeId()).isEqualTo(AbacAttributtNøkkel.SUBJECT_ID); + assertThat(request.getRequest().getAccessSubject().getAttributt().get(0).getValue()).isEqualTo("srvTest"); + assertThat(request.getRequest().getAccessSubject().getAttributt().get(1).getAttributeId()).isEqualTo(AbacAttributtNøkkel.SUBJECT_TYPE); + assertThat(request.getRequest().getAccessSubject().getAttributt().get(1).getValue()).isEqualTo("InternalUser"); + } + + private void validerBasisResourceAttributter(final XacmlRequest request, int antallRessources, int antallAttributterPerRessource) { + assertThat(request.getRequest().getResource()).isNotNull(); + assertThat(request.getRequest().getResource()).hasSize(antallRessources); + assertThat(request.getRequest().getResource().get(0).getAttributt()).isNotNull(); + assertThat(request.getRequest().getResource().get(0).getAttributt()).hasSize(antallAttributterPerRessource); + assertThat(request.getRequest().getResource().get(0).getAttributt().get(0).getAttributeId()).isEqualTo(AbacAttributtNøkkel.RESOURCE_DOMENE); + assertThat(request.getRequest().getResource().get(0).getAttributt().get(0).getValue()).isEqualTo("foreldre"); + assertThat(request.getRequest().getResource().get(0).getAttributt().get(1).getAttributeId()).isEqualTo(AbacAttributtNøkkel.RESOURCE_RESOURCE_TYPE); + assertThat(request.getRequest().getResource().get(0).getAttributt().get(1).getValue()).isEqualTo("no.nav.abac.attributter.foreldrepenger.fagsak"); + } + + private void validerBasisEnvironmentAttributter(final XacmlRequest request) { + validerBasisEnvironmentAttributter(request, null, JWT_TOKEN.split("\\.")[1], AbacAttributtNøkkel.ENVIRONMENT_OIDC_TOKEN_BODY); + } + + private void validerBasisEnvironmentAttributter(final XacmlRequest request, String expectedPepId, String expectedToken, String expectedTokenKey) { + assertThat(request.getRequest().getEnvironment()).isNotNull(); + assertThat(request.getRequest().getEnvironment().getAttributt()).isNotNull(); + assertThat(request.getRequest().getEnvironment().getAttributt()).hasSize(2); + assertThat(request.getRequest().getEnvironment().getAttributt().get(0).getAttributeId()).isEqualTo(AbacAttributtNøkkel.ENVIRONMENT_PEP_ID); + assertThat(request.getRequest().getEnvironment().getAttributt().get(0).getValue()).isEqualTo(expectedPepId); + assertThat(request.getRequest().getEnvironment().getAttributt().get(1).getAttributeId()).isEqualTo(expectedTokenKey); + assertThat(request.getRequest().getEnvironment().getAttributt().get(1).getValue()).isEqualTo(expectedToken); + } + + private void validerBasisActionAttributter(final XacmlRequest request) { + assertThat(request.getRequest()).isNotNull(); + assertThat(request.getRequest().getAction()).isNotNull(); + assertThat(request.getRequest().getAction().getAttributt()).isNotNull(); + assertThat(request.getRequest().getAction().getAttributt()).hasSize(1); + assertThat(request.getRequest().getAction().getAttributt().get(0).getAttributeId()).isEqualTo(AbacAttributtNøkkel.ACTION_ACTION_ID); + assertThat(request.getRequest().getAction().getAttributt().get(0).getValue()).isEqualTo("read"); + } + + private PdpRequest.Builder lagPdpRequestBuilder() { + return lagPdpRequestBuilder(null); + } + + private PdpRequest.Builder lagPdpRequestBuilder(IdToken idToken) { + return PdpRequest.builder() + .medDomene("foreldre") + .medActionType(ActionType.READ) + .medResourceType("no.nav.abac.attributter.foreldrepenger.fagsak") + .medRequest("/test/request") + .medUserId("testUser") + .medIdToken(idToken != null ? idToken : IdToken.withToken(JWT_TOKEN, TokenType.OIDC)); + } + + private static String base64encode(String samlToken) { + return Base64.getEncoder().encodeToString(samlToken.getBytes(StandardCharsets.UTF_8)); + } +} diff --git a/felles/abac/src/test/java/no/nav/foreldrepenger/sikkerhet/abac/pdp2/xacml/XacmlRequestTest.java b/felles/abac/src/test/java/no/nav/foreldrepenger/sikkerhet/abac/pdp2/xacml/XacmlRequestTest.java new file mode 100644 index 000000000..ef3a450cc --- /dev/null +++ b/felles/abac/src/test/java/no/nav/foreldrepenger/sikkerhet/abac/pdp2/xacml/XacmlRequestTest.java @@ -0,0 +1,41 @@ +package no.nav.foreldrepenger.sikkerhet.abac.pdp2.xacml; + +import static org.assertj.core.api.Assertions.assertThat; + +import java.util.List; + +import org.junit.jupiter.api.Test; + +import com.fasterxml.jackson.core.JsonProcessingException; + +import no.nav.foreldrepenger.felles.integrasjon.rest.DefaultJsonMapper; + +public class XacmlRequestTest { + + @Test + void serializeTest() throws JsonProcessingException { + var actionSet = new XacmlRequest.AttributeSet(List.of(new XacmlRequest.Pair("urn:oasis:names:tc:xacml:1.0:action:action-id", "read"))); + var envSet = new XacmlRequest.AttributeSet( + List.of( + new XacmlRequest.Pair("no.nav.abac.attributter.environment.felles.pep_id", "local-app"), + new XacmlRequest.Pair("no.nav.abac.attributter.environment.felles.oidc_token_body", "blatoken") + )); + var resourceSet = List.of( + new XacmlRequest.AttributeSet( + List.of( + new XacmlRequest.Pair("no.nav.abac.attributter.environment.felles.domene", "foreldrepenger"), + new XacmlRequest.Pair("no.nav.abac.attributter.resource.felles.resource_type", "no.nav.abac.attributter.foreldrepenger.fagsak"), + new XacmlRequest.Pair("no.nav.abac.attributter.resource.felles.person.fnr", "12345678900") + )) + ); + + XacmlRequest.Request value = new XacmlRequest.Request(actionSet, envSet, resourceSet, null); + XacmlRequest request = new XacmlRequest(value); + + var mapper = DefaultJsonMapper.MAPPER; + String answer = mapper.writeValueAsString(request); + + assertThat(answer).contains("no.nav.abac.attributter.environment.felles.oidc_token_body"); + assertThat(answer).doesNotContain("AccessSubject"); + } +} diff --git a/felles/abac/src/test/java/no/nav/foreldrepenger/sikkerhet/abac/pdp2/xacml/XacmlResponseTest.java b/felles/abac/src/test/java/no/nav/foreldrepenger/sikkerhet/abac/pdp2/xacml/XacmlResponseTest.java new file mode 100644 index 000000000..12309b94d --- /dev/null +++ b/felles/abac/src/test/java/no/nav/foreldrepenger/sikkerhet/abac/pdp2/xacml/XacmlResponseTest.java @@ -0,0 +1,29 @@ +package no.nav.foreldrepenger.sikkerhet.abac.pdp2.xacml; + +import static org.assertj.core.api.Assertions.assertThat; + +import java.io.File; +import java.util.Objects; + +import org.junit.jupiter.api.Test; + +import no.nav.foreldrepenger.felles.integrasjon.rest.DefaultJsonMapper; + +class XacmlResponseTest { + + @Test + public void createResponse() throws Exception { + var mapper = DefaultJsonMapper.MAPPER; + var deserialized = mapper.readValue(new File(Objects.requireNonNull(getClass().getClassLoader().getResource("xacmlresponse.json")).getFile()), XacmlResponse.class); + + var serialized = mapper.writeValueAsString(deserialized); + + var deserialized2 = mapper.readValue(serialized, XacmlResponse.class); + + assertThat(deserialized.getResponse()).isNotEmpty(); + assertThat(deserialized.getResponse()).hasSize(1); + assertThat(deserialized2.getResponse()).isNotEmpty(); + assertThat(deserialized2.getResponse()).hasSize(1); + } + +} diff --git a/felles/abac/src/test/java/no/nav/foreldrepenger/sikkerhet/abac/pep/PepImplTest.java b/felles/abac/src/test/java/no/nav/foreldrepenger/sikkerhet/abac/pep/PepImplTest.java new file mode 100644 index 000000000..82a699fc8 --- /dev/null +++ b/felles/abac/src/test/java/no/nav/foreldrepenger/sikkerhet/abac/pep/PepImplTest.java @@ -0,0 +1,102 @@ +package no.nav.foreldrepenger.sikkerhet.abac.pep; + +import static org.assertj.core.api.AssertionsForClassTypes.assertThat; +import static org.mockito.ArgumentMatchers.any; +import static org.mockito.Mockito.verify; +import static org.mockito.Mockito.verifyNoInteractions; +import static org.mockito.Mockito.when; + +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.junit.jupiter.api.extension.ExtendWith; +import org.mockito.Mock; +import org.mockito.junit.jupiter.MockitoExtension; + +import no.nav.foreldrepenger.sikkerhet.abac.PdpRequestBuilder; +import no.nav.foreldrepenger.sikkerhet.abac.auditlog.AbacAuditlogger; +import no.nav.foreldrepenger.sikkerhet.abac.domene.ActionType; +import no.nav.foreldrepenger.sikkerhet.abac.domene.BeskyttRessursAttributer; +import no.nav.foreldrepenger.sikkerhet.abac.domene.IdToken; +import no.nav.foreldrepenger.sikkerhet.abac.domene.Tilgangsbeslutning; +import no.nav.foreldrepenger.sikkerhet.abac.domene.TokenType; +import no.nav.foreldrepenger.sikkerhet.abac.pdp.Pdp; +import no.nav.vedtak.log.audit.Auditlogger; + +@ExtendWith(MockitoExtension.class) +class PepImplTest { + + private PepImpl pep; + @Mock + private Pdp pdpKlientMock; + @Mock + private Pdp nyPdpKlientMock; + @Mock + private PdpRequestBuilder pdpRequestBuilder; + + @BeforeEach + void setUp() { + pep = new PepImpl( + pdpKlientMock, + nyPdpKlientMock, + pdpRequestBuilder, + new AbacAuditlogger(new Auditlogger(true, "felles", "felles-test")), + "SRVFPLOS,SRVPDP"); + } + + @Test + void skal_gi_tilgang_til_srvpdp_for_piptjeneste() { + + BeskyttRessursAttributer attributter = new BeskyttRessursAttributer() + .setResource("pip.tjeneste.kan.kun.kalles.av.pdp.servicebruker") + .setActionType(ActionType.READ) + .setRequestPath("/test/path"); + when(pdpRequestBuilder.lagPdpRequest(attributter)) + .thenReturn(buildPdpRequest(attributter, "srvpdp")); + + Tilgangsbeslutning permit = pep.vurderTilgang(attributter); + assertThat(permit.fikkTilgang()).isTrue(); + verifyNoInteractions(pdpKlientMock); + } + + @Test + void skal_nekte_tilgang_til_saksbehandler_for_piptjeneste() { + BeskyttRessursAttributer attributter = new BeskyttRessursAttributer() + .setResource("pip.tjeneste.kan.kun.kalles.av.pdp.servicebruker") + .setActionType(ActionType.READ) + .setRequestPath("/test/path"); + + when(pdpRequestBuilder.lagPdpRequest(attributter)) + .thenReturn(buildPdpRequest(attributter, "saksbehandler")); + + + Tilgangsbeslutning permit = pep.vurderTilgang(attributter); + assertThat(permit.fikkTilgang()).isFalse(); + verifyNoInteractions(pdpKlientMock); + } + + @Test + void skal_kalle_pdp_for_annet_enn_pip_tjenester() { + BeskyttRessursAttributer attributter = new BeskyttRessursAttributer() + .setResource("no.nav.abac.attributter.foreldrepenger.fagsak") + .setActionType(ActionType.READ) + .setRequestPath("/test/path"); + + when(pdpRequestBuilder.lagPdpRequest(attributter)) + .thenReturn(buildPdpRequest(attributter, "saksbehandler")); + + @SuppressWarnings("unused") + Tilgangsbeslutning permit = pep.vurderTilgang(attributter); + verify(pdpKlientMock).forespørTilgang(any(PdpRequest.class)); + } + + private PdpRequest buildPdpRequest(BeskyttRessursAttributer attributter, String userId) { + return PdpRequest.builder() + .medDomene("testDomene") + .medActionType(attributter.getActionType()) + .medResourceType(attributter.getResource()) + .medRequest(attributter.getRequestPath()) + .medUserId(userId) + .medIdToken(IdToken.withToken("testTokenString", TokenType.OIDC)) + .build(); + } +} diff --git a/felles/abac/src/test/resources/META-INF/beans.xml b/felles/abac/src/test/resources/META-INF/beans.xml new file mode 100644 index 000000000..4788e81b1 --- /dev/null +++ b/felles/abac/src/test/resources/META-INF/beans.xml @@ -0,0 +1,6 @@ + + + diff --git a/felles/abac/src/test/resources/application.properties b/felles/abac/src/test/resources/application.properties new file mode 100644 index 000000000..baaab849f --- /dev/null +++ b/felles/abac/src/test/resources/application.properties @@ -0,0 +1 @@ +loadbalancer.url=http://localhost:8080 \ No newline at end of file diff --git a/felles/abac/src/test/resources/example-jwks.json b/felles/abac/src/test/resources/example-jwks.json new file mode 100644 index 000000000..b7c008c0c --- /dev/null +++ b/felles/abac/src/test/resources/example-jwks.json @@ -0,0 +1,12 @@ +{ + "keys" : [ + { + "kty" : "RSA", + "alg" : "RS256", + "use" : "sig", + "kid" : "", + "n" : "AM2uHZfbHbDfkCTG8GaZO2zOBDmL4sQgNzCSFqlQ-ikAwTV5ptyAHYC3JEy_LtMcRSv3E7r0yCW_7WtzT-CgBYQilb_lz1JmED3TgiThEolN2kaciY06UGycSj8wEYik-3PxuVeKr3uw6LVEohM3rrCjdlkQ_jctuvuUrCedbsb2hVw6Q17PQbWURq8v3gtXmGMD8KcR7e0dtf0ZoMOfZQoFJZ-a5dMFzXeP8Ffz_c0uBLSddd-FqOhzVDiMbvFI9XKE22TWghYanPpPsGGZYioQbJfu5VtphR6zNjiUp9O4lA_qEkbBpRA8SaUTCz3PcirFYDg0zvV8p2hgY9jyCj0", + "e" : "AQAB" + } + ] +} \ No newline at end of file diff --git a/felles/abac/src/test/resources/example2-jwks.json b/felles/abac/src/test/resources/example2-jwks.json new file mode 100644 index 000000000..506e82221 --- /dev/null +++ b/felles/abac/src/test/resources/example2-jwks.json @@ -0,0 +1,20 @@ +{ + "keys" : [ + { + "kty": "RSA", + "alg": "RS256", + "use": "sig", + "kid": "98f252c36ece673b2609f8d2d1b387a00de68e51", + "n": "8Ygp-3f-duZdIzUjziRsmaOmWGH74kEETZ42NMz5EnT1ogwnU4DOBmDjGqo8jCDoK-R4ZWL70FEFHdgBaO6oGKPZhLQ08CYV8dguBSx1caxart_KKdcsRllLagbenv5W7n4gUL3eN4JIACgIocapXvbUeJDkg4VUQYnpYBoG-07pbcfEJVePlX7874IUEuSmDcWOwUFAXfvR5fbShLgN1JOAjwMIfYXaLIWBqNh8BvluSrDcXIeWWX0aLZ4jC2BZfUv9yKAtd6OqJFDJIu97gn0ikPne21T-RjOXiqQIQHPWWMpdsstUAtU-n5LWcToQJ37UYaB9AzH4E7lyMdBkPQ", + "e": "AQAB" + }, + { + "kty": "RSA", + "alg": "RS256", + "use": "sig", + "kid": "8d3074d68906276778eb3aea6a4b698e893d934b", + "n": "wP4d1nWwCHctGop7TKpyrW9lbrjJIFdL1yWGnQsLy3-3w8xZwsMywBr4spOfzMjOsUuXkIuSBLB5bb3H8dhusdnwJx_0tS8IQyRPawS_TFEn0VIG8N5DaObrwUwJ5GQ7mhAZJeQX78UuGzDMqsWZ1amPjqtIkUnsIiKk1HM2rCByNZK6ZR1oeERBzWbXaFr4samPWcNdwSTDKTdYe_bGqywFr4yZlj1Kj-_tY1KZe9TRf9Ah-U2OpOK4QM9ONuE15pmAt_DCK8-zYcF3ikg738qrjWyeqr4LfEc1n6hBGe0AqdXT0CqA-tZVQmzkDNGdKnIOlRv5pw4tUn6kH8c2Pw", + "e": "AQAB" + } + ] +} \ No newline at end of file diff --git a/felles/abac/src/test/resources/logback-test.xml b/felles/abac/src/test/resources/logback-test.xml new file mode 100644 index 000000000..8983850cf --- /dev/null +++ b/felles/abac/src/test/resources/logback-test.xml @@ -0,0 +1,22 @@ + + + + + %d [%-5level] [%thread] %logger{5} - [%X{consumerId}, %X{callId}, %X{userId}] - %m%n + + + + + + + + + + + + + + + + + diff --git a/felles/abac/src/test/resources/request.json b/felles/abac/src/test/resources/request.json new file mode 100644 index 000000000..fceed37a1 --- /dev/null +++ b/felles/abac/src/test/resources/request.json @@ -0,0 +1,90 @@ +{ + "Request": { + "Resource": [ + { + "Attribute": [ + { + "AttributeId": "no.nav.abac.attributter.resource.felles.domene", + "Value": "foreldrepenger" + }, + { + "AttributeId": "no.nav.abac.attributter.resource.felles.resource_type", + "Value": "no.nav.abac.attributter.foreldrepenger.fagsak" + }, + { + "AttributeId": "no.nav.abac.attributter.resource.felles.person.aktoerId_resource", + "Value": "11111" + } + ] + }, + { + "Attribute": [ + { + "AttributeId": "no.nav.abac.attributter.resource.felles.domene", + "Value": "foreldrepenger" + }, + { + "AttributeId": "no.nav.abac.attributter.resource.felles.resource_type", + "Value": "no.nav.abac.attributter.foreldrepenger.fagsak" + }, + { + "AttributeId": "no.nav.abac.attributter.resource.felles.person.aktoerId_resource", + "Value": "22222" + } + ] + }, + { + "Attribute": [ + { + "AttributeId": "no.nav.abac.attributter.resource.felles.domene", + "Value": "foreldrepenger" + }, + { + "AttributeId": "no.nav.abac.attributter.resource.felles.resource_type", + "Value": "no.nav.abac.attributter.foreldrepenger.fagsak" + }, + { + "AttributeId": "no.nav.abac.attributter.resource.felles.person.fnr", + "Value": "12345678900" + } + ] + } + ], + "Action": { + "Attribute": [ + { + "AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id", + "Value": "read" + } + ] + }, + "Environment": { + "Attribute": [ + { + "AttributeId": "no.nav.abac.attributter.environment.felles.pep_id", + "Value": "local-app" + }, + { + "AttributeId": "no.nav.abac.attributter.environment.felles.oidc_token_body", + "Value": "eyAiYXRfaGFzaCI6ICIyb2c1RGk5ZW9LeFhOa3VPd0dvVUdBIiwgInN1YiI6ICJzMTQyNDQzIiwgImF1ZGl0VHJhY2tpbmdJZCI6ICI1NTM0ZmQ4ZS03MmE2LTRhMWQtOWU5YS1iZmEzYThhMTljMDUtNjE2NjA2NyIsICJpc3MiOiAiaHR0cHM6Ly9pc3NvLXQuYWRlby5ubzo0NDMvaXNzby9vYXV0aDIiLCAidG9rZW5OYW1lIjogImlkX3Rva2VuIiwgImF1ZCI6ICJPSURDIiwgImNfaGFzaCI6ICJiVWYzcU5CN3dTdi0wVlN0bjhXLURnIiwgIm9yZy5mb3JnZXJvY2sub3BlbmlkY29ubmVjdC5vcHMiOiAiMTdhOGZiMzYtMGI0Ny00YzRkLWE4YWYtZWM4Nzc3Y2MyZmIyIiwgImF6cCI6ICJPSURDIiwgImF1dGhfdGltZSI6IDE0OTgwMzk5MTQsICJyZWFsbSI6ICIvIiwgImV4cCI6IDE0OTgwNDM1MTUsICJ0b2tlblR5cGUiOiAiSldUVG9rZW4iLCAiaWF0IjogMTQ5ODAzOTkxNSB9" + } + ] + }, + "ActionSubject": { + "Attribute": [ + { + "AttributeId": "urn:oasis:names:tc:xacml:1.0:subject:subject-id", + "Value": "Z991241" + }, + { + "AttributeId": "no.nav.abac.attributter.subject.felles.subjectType", + "Value": "InternBruker" + }, + { + "AttributeId": "no.nav.abac.attributter.subject.felles.authenticationLevel", + "Value": "4" + } + ] + } + } +} diff --git a/felles/abac/src/test/resources/request1.json b/felles/abac/src/test/resources/request1.json new file mode 100644 index 000000000..9887ca2dc --- /dev/null +++ b/felles/abac/src/test/resources/request1.json @@ -0,0 +1,40 @@ +{ + "Request": { + "Resource": { + "Attribute": [ + { + "AttributeId": "no.nav.abac.attributter.resource.felles.domene", + "Value": "foreldrepenger" + }, + { + "AttributeId": "no.nav.abac.attributter.resource.felles.resource_type", + "Value": "no.nav.abac.attributter.foreldrepenger.fagsak" + }, + { + "AttributeId": "no.nav.abac.attributter.resource.felles.person.fnr", + "Value": "12345678900" + } + ] + }, + "Action": { + "Attribute": [ + { + "AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id", + "Value": "read" + } + ] + }, + "Environment": { + "Attribute": [ + { + "AttributeId": "no.nav.abac.attributter.environment.felles.pep_id", + "Value": "local-app" + }, + { + "AttributeId": "no.nav.abac.attributter.environment.felles.oidc_token_body", + "Value": "eyAiYXRfaGFzaCI6ICIyb2c1RGk5ZW9LeFhOa3VPd0dvVUdBIiwgInN1YiI6ICJzMTQyNDQzIiwgImF1ZGl0VHJhY2tpbmdJZCI6ICI1NTM0ZmQ4ZS03MmE2LTRhMWQtOWU5YS1iZmEzYThhMTljMDUtNjE2NjA2NyIsICJpc3MiOiAiaHR0cHM6Ly9pc3NvLXQuYWRlby5ubzo0NDMvaXNzby9vYXV0aDIiLCAidG9rZW5OYW1lIjogImlkX3Rva2VuIiwgImF1ZCI6ICJPSURDIiwgImNfaGFzaCI6ICJiVWYzcU5CN3dTdi0wVlN0bjhXLURnIiwgIm9yZy5mb3JnZXJvY2sub3BlbmlkY29ubmVjdC5vcHMiOiAiMTdhOGZiMzYtMGI0Ny00YzRkLWE4YWYtZWM4Nzc3Y2MyZmIyIiwgImF6cCI6ICJPSURDIiwgImF1dGhfdGltZSI6IDE0OTgwMzk5MTQsICJyZWFsbSI6ICIvIiwgImV4cCI6IDE0OTgwNDM1MTUsICJ0b2tlblR5cGUiOiAiSldUVG9rZW4iLCAiaWF0IjogMTQ5ODAzOTkxNSB9" + } + ] + } + } +} diff --git a/felles/abac/src/test/resources/xacml3response.json b/felles/abac/src/test/resources/xacml3response.json new file mode 100644 index 000000000..bd7ed00a4 --- /dev/null +++ b/felles/abac/src/test/resources/xacml3response.json @@ -0,0 +1,64 @@ +{ + "Response": [ + { + "Decision": "Deny", + "Status": { + "StatusCode": { + "Value": "urn:oasis:names:tc:xacml:1.0:status:ok", + "StatusCode": { + "Value": "urn:oasis:names:tc:xacml:1.0:status:ok" + } + } + }, + "AssociatedAdvice": [{ + "Id": "no.nav.abac.advices.deny.reason", + "AttributeAssignment": [{ + "AttributeId": "no.nav.abac.advice.fritekst", + "Value": "Ikke tilgang", + "Category": "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject", + "DataType": "http://www.w3.org/2001/XMLSchema#string" + }] + }] + }, + { + "Decision": "Deny", + "Status": { + "StatusCode": { + "Value": "urn:oasis:names:tc:xacml:1.0:status:ok", + "StatusCode": { + "Value": "urn:oasis:names:tc:xacml:1.0:status:ok" + } + } + }, + "AssociatedAdvice": [{ + "Id": "no.nav.abac.advices.deny.reason", + "AttributeAssignment": [{ + "AttributeId": "no.nav.abac.advice.fritekst", + "Value": "Ikke tilgang", + "Category": "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject", + "DataType": "http://www.w3.org/2001/XMLSchema#string" + }] + }] + }, + { + "Decision": "Deny", + "Status": { + "StatusCode": { + "Value": "urn:oasis:names:tc:xacml:1.0:status:ok", + "StatusCode": { + "Value": "urn:oasis:names:tc:xacml:1.0:status:ok" + } + } + }, + "AssociatedAdvice": [{ + "Id": "no.nav.abac.advices.deny.reason", + "AttributeAssignment": [{ + "AttributeId": "no.nav.abac.advice.fritekst", + "Value": "Ikke tilgang", + "Category": "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject", + "DataType": "http://www.w3.org/2001/XMLSchema#string" + }] + }] + } + ] +} diff --git a/felles/abac/src/test/resources/xacmlresponse-array.json b/felles/abac/src/test/resources/xacmlresponse-array.json new file mode 100644 index 000000000..066b235e6 --- /dev/null +++ b/felles/abac/src/test/resources/xacmlresponse-array.json @@ -0,0 +1,33 @@ +{ + "Response": [{ + "Decision": "Deny", + "Status": { + "StatusCode": { + "Value": "urn:oasis:names:tc:xacml:1.0:status:ok", + "StatusCode": { + "Value": "urn:oasis:names:tc:xacml:1.0:status:ok" + } + } + }, + "AssociatedAdvice": [ + { + "Id": "no.nav.abac.advices.deny.reason", + "AttributeAssignment": [{ + "AttributeId": "no.nav.abac.advice.fritekst", + "Value": "Ikke tilgang", + "Category": "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject", + "DataType": "http://www.w3.org/2001/XMLSchema#string" + }] + }, + { + "Id": "no.nav.abac.advices.deny.reason", + "AttributeAssignment": [{ + "AttributeId": "no.nav.abac.advice.fritekst", + "Value": "Ikke tilgang", + "Category": "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject", + "DataType": "http://www.w3.org/2001/XMLSchema#string" + }] + } + ] + }] +} diff --git a/felles/abac/src/test/resources/xacmlresponse.json b/felles/abac/src/test/resources/xacmlresponse.json new file mode 100644 index 000000000..966921f99 --- /dev/null +++ b/felles/abac/src/test/resources/xacmlresponse.json @@ -0,0 +1,20 @@ +{ + "Response": [ + { + "Decision": "Deny", + "AssociatedAdvice": [ + { + "Id": "no.nav.abac.advices.deny.reason", + "AttributeAssignment": [ + { + "AttributeId": "no.nav.abac.advice.fritekst", + "Value": "Ikke tilgang", + "Category": "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject", + "DataType": "http://www.w3.org/2001/XMLSchema#string" + } + ] + } + ] + } + ] +} diff --git a/felles/abac/src/test/resources/xacmlresponse_1deny_1permit.json b/felles/abac/src/test/resources/xacmlresponse_1deny_1permit.json new file mode 100644 index 000000000..68d917c3d --- /dev/null +++ b/felles/abac/src/test/resources/xacmlresponse_1deny_1permit.json @@ -0,0 +1,60 @@ +{ + "Response": [ + { + "Decision": "Deny", + "Status": { + "StatusCode": { + "Value": "urn:oasis:names:tc:xacml:1.0:status:ok", + "StatusCode": { + "Value": "urn:oasis:names:tc:xacml:1.0:status:ok" + } + } + }, + "AssociatedAdvice": [{ + "Id": "no.nav.abac.advices.reason.deny_reason", + "AttributeAssignment": [ + { + "AttributeId": "no.nav.abac.attributter.adviceorobligation.cause", + "Value": "cause-0001-manglerrolle", + "Category": "urn:oasis:names:tc:xacml:3.0:attribute-category:environment", + "DataType": "http://www.w3.org/2001/XMLSchema#string" + }, + { + "AttributeId": "no.nav.abac.attributter.adviceorobligation.deny_policy", + "Value": "fp3_behandle_egen_ansatt", + "Category": "urn:oasis:names:tc:xacml:3.0:attribute-category:environment", + "DataType": "http://www.w3.org/2001/XMLSchema#string" + }, + { + "AttributeId": "no.nav.abac.attributter.adviceorobligation.deny_rule", + "Value": "intern_behandle_egen_ansatt_feilgruppetilgang", + "Category": "urn:oasis:names:tc:xacml:3.0:attribute-category:environment", + "DataType": "http://www.w3.org/2001/XMLSchema#string" + } + ] + }] + }, + { + "Decision": "Permit", + "Status": { + "StatusCode": { + "Value": "urn:oasis:names:tc:xacml:1.0:status:ok", + "StatusCode": { + "Value": "urn:oasis:names:tc:xacml:1.0:status:ok" + } + } + }, + "AssociatedAdvice": [{ + "Id": "no.nav.abac.advices.action.sporbarhetslogg", + "AttributeAssignment": [ + { + "AttributeId": "no.nav.abac.attributter.adviceorobligation.fritekst", + "Value": "alt ok", + "Category": "urn:oasis:names:tc:xacml:3.0:attribute-category:environment", + "DataType": "http://www.w3.org/2001/XMLSchema#string" + } + ] + }] + } + ] +} diff --git a/felles/abac/src/test/resources/xacmlresponse_multiple_obligation.json b/felles/abac/src/test/resources/xacmlresponse_multiple_obligation.json new file mode 100644 index 000000000..1e33d0220 --- /dev/null +++ b/felles/abac/src/test/resources/xacmlresponse_multiple_obligation.json @@ -0,0 +1,37 @@ +{ + "Response": [ + { + "Decision": "Permit", + "Status": { + "StatusCode": { + "Value": "urn:oasis:names:tc:xacml:1.0:status:ok", + "StatusCode": { + "Value": "urn:oasis:names:tc:xacml:1.0:status:ok" + } + } + }, + "Obligations": [ + { + "Id": "no.nav.abac.obligation.action.log", + "AttributeAssignment": [ + { + "AttributeId": "no.nav.abac.advice.fritekst", + "Value": "Mangler konsument (consumerId)", + "Category": "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject", + "DataType": "http://www.w3.org/2001/XMLSchema#string" + } + ] + }, + { + "Id": "no.nav.abac.obligation.action.auditlog", + "AttributeAssignment": [{ + "AttributeId": "no.nav.abac.advice.fritekst", + "Value": "Mangler autentiseringsNivaa (authenticationLevel)", + "Category": "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject", + "DataType": "http://www.w3.org/2001/XMLSchema#string" + }] + } + ] + } + ] +} diff --git a/felles/feil/src/main/java/no/nav/vedtak/exception/FunksjonellException.java b/felles/feil/src/main/java/no/nav/vedtak/exception/FunksjonellException.java index b435fe6b0..c571f1314 100644 --- a/felles/feil/src/main/java/no/nav/vedtak/exception/FunksjonellException.java +++ b/felles/feil/src/main/java/no/nav/vedtak/exception/FunksjonellException.java @@ -1,6 +1,5 @@ package no.nav.vedtak.exception; -@Deprecated(since = "3.1", forRemoval = true) /* Bruk klasser fra no.nav.foreldrepenger.felles:feil:1.0.1 istedenfor. */ public class FunksjonellException extends VLException { diff --git a/felles/feil/src/main/java/no/nav/vedtak/exception/IntegrasjonException.java b/felles/feil/src/main/java/no/nav/vedtak/exception/IntegrasjonException.java index 82228da43..de771f706 100644 --- a/felles/feil/src/main/java/no/nav/vedtak/exception/IntegrasjonException.java +++ b/felles/feil/src/main/java/no/nav/vedtak/exception/IntegrasjonException.java @@ -1,5 +1,4 @@ package no.nav.vedtak.exception; -@Deprecated(since = "3.1", forRemoval = true) /* Bruk klasser fra no.nav.foreldrepenger.felles:feil:1.0.1 istedenfor. */ public class IntegrasjonException extends VLException { diff --git a/felles/feil/src/main/java/no/nav/vedtak/exception/ManglerTilgangException.java b/felles/feil/src/main/java/no/nav/vedtak/exception/ManglerTilgangException.java index 97fb2e9f8..a427fa7f5 100644 --- a/felles/feil/src/main/java/no/nav/vedtak/exception/ManglerTilgangException.java +++ b/felles/feil/src/main/java/no/nav/vedtak/exception/ManglerTilgangException.java @@ -1,5 +1,4 @@ package no.nav.vedtak.exception; -@Deprecated(since = "3.1", forRemoval = true) /* Bruk klasser fra no.nav.foreldrepenger.felles:feil:1.0.1 istedenfor. */ public class ManglerTilgangException extends VLException { diff --git a/felles/feil/src/main/java/no/nav/vedtak/exception/TekniskException.java b/felles/feil/src/main/java/no/nav/vedtak/exception/TekniskException.java index 8660c7ed3..6e08137f1 100644 --- a/felles/feil/src/main/java/no/nav/vedtak/exception/TekniskException.java +++ b/felles/feil/src/main/java/no/nav/vedtak/exception/TekniskException.java @@ -1,5 +1,4 @@ package no.nav.vedtak.exception; -@Deprecated(since = "3.1", forRemoval = true) /* Bruk klasser fra no.nav.foreldrepenger.felles:feil:1.0.1 istedenfor. */ public class TekniskException extends VLException { diff --git a/felles/feil/src/main/java/no/nav/vedtak/exception/VLException.java b/felles/feil/src/main/java/no/nav/vedtak/exception/VLException.java index e66964db0..083d73b3a 100644 --- a/felles/feil/src/main/java/no/nav/vedtak/exception/VLException.java +++ b/felles/feil/src/main/java/no/nav/vedtak/exception/VLException.java @@ -1,5 +1,4 @@ package no.nav.vedtak.exception; -@Deprecated(since = "3.1", forRemoval = true) /* Bruk klasser fra no.nav.foreldrepenger.felles:feil:1.0.1 istedenfor. */ public abstract class VLException extends RuntimeException { diff --git a/felles/feil/src/main/java/no/nav/vedtak/package-info.java b/felles/feil/src/main/java/no/nav/vedtak/package-info.java index 4c494f518..764b4c56b 100644 --- a/felles/feil/src/main/java/no/nav/vedtak/package-info.java +++ b/felles/feil/src/main/java/no/nav/vedtak/package-info.java @@ -1,6 +1,5 @@ /** - * @Deprecated(since = "3.1", forRemoval = true) * Bruk klasser fra no.nav.foreldrepenger.felles:feil:1.0.1 istedenfor. * Denne pakken inneholder felles Exception for å håndtere feilmeldinger og feilkoder som logges. * diff --git a/felles/log/src/main/java/no/nav/vedtak/log/audit/Auditlogger.java b/felles/log/src/main/java/no/nav/vedtak/log/audit/Auditlogger.java index 1382797a0..c178d0094 100644 --- a/felles/log/src/main/java/no/nav/vedtak/log/audit/Auditlogger.java +++ b/felles/log/src/main/java/no/nav/vedtak/log/audit/Auditlogger.java @@ -32,7 +32,6 @@ public class Auditlogger { private final String defaultVendor; private final String defaultProduct; - @Inject public Auditlogger(@KonfigVerdi(value = "auditlogger.enabled", required = false) boolean enabled, @KonfigVerdi(value = "auditlogger.vendor", required = false) String defaultVendor, diff --git a/felles/mapper/pom.xml b/felles/mapper/pom.xml new file mode 100644 index 000000000..0c398c331 --- /dev/null +++ b/felles/mapper/pom.xml @@ -0,0 +1,34 @@ + + + 4.0.0 + + + felles + no.nav.foreldrepenger.felles + 3.0.83-SNAPSHOT + + + felles-mapper + + + + no.nav.foreldrepenger.felles + felles-feil + + + com.fasterxml.jackson.datatype + jackson-datatype-jdk8 + + + com.fasterxml.jackson.datatype + jackson-datatype-jsr310 + + + com.fasterxml.jackson.core + jackson-databind + + + + diff --git a/felles/util/src/main/java/no/nav/vedtak/felles/integrasjon/rest/DefaultJsonMapper.java b/felles/mapper/src/main/java/no/nav/foreldrepenger/felles/integrasjon/rest/DefaultJsonMapper.java similarity index 97% rename from felles/util/src/main/java/no/nav/vedtak/felles/integrasjon/rest/DefaultJsonMapper.java rename to felles/mapper/src/main/java/no/nav/foreldrepenger/felles/integrasjon/rest/DefaultJsonMapper.java index c8be48cc3..84a1fd6ad 100644 --- a/felles/util/src/main/java/no/nav/vedtak/felles/integrasjon/rest/DefaultJsonMapper.java +++ b/felles/mapper/src/main/java/no/nav/foreldrepenger/felles/integrasjon/rest/DefaultJsonMapper.java @@ -1,4 +1,4 @@ -package no.nav.vedtak.felles.integrasjon.rest; +package no.nav.foreldrepenger.felles.integrasjon.rest; import java.io.IOException; import java.util.List; @@ -13,7 +13,6 @@ import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule; import no.nav.vedtak.exception.TekniskException; - public class DefaultJsonMapper { private DefaultJsonMapper() { diff --git a/felles/pom.xml b/felles/pom.xml index 6f9deeb77..364465d52 100644 --- a/felles/pom.xml +++ b/felles/pom.xml @@ -18,8 +18,10 @@ feil log util + mapper db bom + abac @@ -117,6 +119,21 @@ felles-log ${project.version} + + no.nav.foreldrepenger.felles + felles-abac + ${project.version} + + + no.nav.foreldrepenger.felles.integrasjon + felles-integrasjon-rest-klient + ${project.version} + + + no.nav.foreldrepenger.felles + felles-mapper + ${project.version} + no.nav.foreldrepenger.felles felles-db diff --git a/felles/sikkerhet/sikkerhet/pom.xml b/felles/sikkerhet/sikkerhet/pom.xml index 012046bb8..96ea45769 100644 --- a/felles/sikkerhet/sikkerhet/pom.xml +++ b/felles/sikkerhet/sikkerhet/pom.xml @@ -57,12 +57,7 @@ jakarta.json jakarta.json-api - - - org.jboss.resteasy - resteasy-json-p-provider - ${resteasy.version} - + javax.jws jsr181-api diff --git a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/AbacAttributtSamling.java b/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/AbacAttributtSamling.java deleted file mode 100644 index 15f5980a2..000000000 --- a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/AbacAttributtSamling.java +++ /dev/null @@ -1,111 +0,0 @@ -package no.nav.vedtak.sikkerhet.abac; - -import java.net.URI; -import java.util.Objects; -import java.util.Set; - -import com.nimbusds.jwt.SignedJWT; - -import no.nav.vedtak.sikkerhet.abac.AbacIdToken.TokenType; - -public class AbacAttributtSamling { - private final AbacIdToken idToken; - private final AbacDataAttributter dataAttributter = AbacDataAttributter.opprett(); - private BeskyttetRessursActionAttributt actionType; - private String resource; - private String action; - - private AbacAttributtSamling(AbacIdToken idToken) { - this.idToken = idToken; - } - - public static AbacAttributtSamling medJwtToken(String jwtToken) { - return medJwtToken(jwtToken, oidcTokenType(jwtToken)); - } - - public static AbacAttributtSamling medJwtToken(String jwtToken, TokenType type) { - Objects.requireNonNull(jwtToken); - return new AbacAttributtSamling(AbacIdToken.withToken(jwtToken, type)); - } - - public static AbacAttributtSamling medSamlToken(String samlToken) { - Objects.requireNonNull(samlToken); - return new AbacAttributtSamling(AbacIdToken.withToken(samlToken, TokenType.SAML)); - } - - public AbacAttributtSamling leggTil(AbacDataAttributter dataAttributter) { - this.dataAttributter.leggTil(dataAttributter); - return this; - } - - public Set getVerdier(AbacAttributtType type) { - return dataAttributter.getVerdier(type); - } - - public Set keySet() { - return dataAttributter.keySet(); - } - - public AbacIdToken getIdToken() { - return idToken; - } - - @Override - public String toString() { - return AbacAttributtSamling.class.getSimpleName() + '{' + idToken + - " action='" + action + "'" + - " actionType='" + actionType + "'" + - " resource='" + resource + "' " + - dataAttributter + - '}'; - } - - public AbacAttributtSamling setActionType(BeskyttetRessursActionAttributt actionType) { - this.actionType = actionType; - return this; - } - - public BeskyttetRessursActionAttributt getActionType() { - return actionType; - } - - public AbacAttributtSamling setResource(String resource) { - this.resource = resource; - return this; - } - - public String getResource() { - return resource; - } - - public int getTotalAntallAttributter() { - return dataAttributter.keySet().stream().mapToInt(k -> dataAttributter.getVerdier(k).size()).sum(); - } - - public int kryssProduktAntallAttributter() { - return dataAttributter.keySet().stream() - .mapToInt(k -> dataAttributter.getVerdier(k).size()) - .filter(s -> s > 0) - .reduce(1, (a, b) -> a * b); - } - - public AbacAttributtSamling setAction(String action) { - this.action = action; - return this; - } - - public String getAction() { - return action; - } - - private static TokenType oidcTokenType(String token) { - try { - return URI.create(SignedJWT.parse(token) - .getJWTClaimsSet().getIssuer()).getHost().contains("tokendings") ? TokenType.TOKENX : TokenType.OIDC; - - } catch (Exception e) { - throw new IllegalArgumentException("Ukjent token type"); - } - } - -} diff --git a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/AbacAttributtType.java b/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/AbacAttributtType.java deleted file mode 100644 index 12e1afb59..000000000 --- a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/AbacAttributtType.java +++ /dev/null @@ -1,9 +0,0 @@ -package no.nav.vedtak.sikkerhet.abac; - -import no.nav.vedtak.log.sporingslogg.SporingsloggId; - -public interface AbacAttributtType extends SporingsloggId { - - boolean getMaskerOutput(); - -} \ No newline at end of file diff --git a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/AbacDto.java b/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/AbacDto.java deleted file mode 100644 index 4a5e49bcd..000000000 --- a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/AbacDto.java +++ /dev/null @@ -1,5 +0,0 @@ -package no.nav.vedtak.sikkerhet.abac; - -public interface AbacDto { - AbacDataAttributter abacAttributter(); -} diff --git a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/AbacIdToken.java b/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/AbacIdToken.java deleted file mode 100644 index 674545824..000000000 --- a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/AbacIdToken.java +++ /dev/null @@ -1,69 +0,0 @@ -package no.nav.vedtak.sikkerhet.abac; - -public class AbacIdToken { - - public enum TokenType { - OIDC, - TOKENX, - SAML; - } - - private final String token; - private final TokenType tokenType; - - private AbacIdToken(String token, TokenType tokenType) { - this.token = token; - this.tokenType = tokenType; - } - - @Deprecated - public static AbacIdToken withOidcToken(String token) { - return new AbacIdToken(token, TokenType.OIDC); - } - - public static AbacIdToken withToken(String token, TokenType type) { - return new AbacIdToken(token, type); - } - - @Deprecated - public static AbacIdToken withSamlToken(String token) { - return new AbacIdToken(token, TokenType.SAML); - } - - public TokenType getTokenType() { - return tokenType; - } - - private String token() { - switch (tokenType) { - case SAML: - return "samlToken='MASKERT'"; - default: - return "jwtToken='" + maskerOidcToken(token) + '\''; - } - } - - @Override - public String toString() { - return getClass().getSimpleName() + " [token=" + token() + ", tokenType=" + tokenType + "]"; - } - - @Deprecated - public boolean erOidcToken() { - return TokenType.OIDC.equals(tokenType); - } - - @Deprecated - public boolean erSamlToken() { - return TokenType.SAML.equals(tokenType); - } - - public String getToken() { - return token; - } - - private static String maskerOidcToken(String token) { - return token.substring(0, token.lastIndexOf('.')) + ".MASKERT"; - } - -} diff --git a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/AbacSporingslogg.java b/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/AbacSporingslogg.java deleted file mode 100644 index 0ab56bc88..000000000 --- a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/AbacSporingslogg.java +++ /dev/null @@ -1,16 +0,0 @@ -package no.nav.vedtak.sikkerhet.abac; - -import java.util.List; - -import no.nav.vedtak.log.sporingslogg.Sporingsdata; - -public interface AbacSporingslogg { - - /** tilstandsløs - konvertere beslutning/attributter til sporingsdata. */ - List byggSporingsdata(Tilgangsbeslutning beslutning, AbacAttributtSamling attributter); - - void logg(List sporingsdata); - - void loggDeny(Tilgangsbeslutning beslutning, AbacAttributtSamling attributter); - -} diff --git a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/ActionUthenter.java b/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/ActionUthenter.java deleted file mode 100644 index 52e096914..000000000 --- a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/ActionUthenter.java +++ /dev/null @@ -1,65 +0,0 @@ -package no.nav.vedtak.sikkerhet.abac; - -import java.lang.reflect.Method; - -import javax.jws.WebMethod; -import javax.jws.WebService; -import javax.ws.rs.Path; - -public class ActionUthenter { - - private static final String SLASH = "/"; - - private ActionUthenter() { - - } - - public static String action(Class clazz, Method method) { - return clazz.getAnnotation(WebService.class) != null - ? actionForWebServiceMethod(clazz, method) - : actionForRestMethod(clazz, method); - } - - private static String actionForRestMethod(Class clazz, Method method) { - Path pathOfClass = clazz.getAnnotation(Path.class); - Path pathOfMethod = method.getAnnotation(Path.class); - - String path = ""; - if (pathOfClass != null) { - path += ensureStartsWithSlash(pathOfClass.value()); - } - if (pathOfMethod != null) { - path += ensureStartsWithSlash(pathOfMethod.value()); - } - return path; - } - - private static String actionForWebServiceMethod(Class clazz, Method method) { - WebMethod webMethodAnnotation = finnWebMethod(method); - if (webMethodAnnotation.action().isEmpty()) { - throw new IllegalArgumentException( - "Mangler action på @WebMethod-annotering for metode på Webservice " + clazz.getName() + "." + method.getName()); - } - return webMethodAnnotation.action(); - } - - private static WebMethod finnWebMethod(Method method) { - // annoteringen finnes i et av interfacene - for (Class anInterface : method.getDeclaringClass().getInterfaces()) { - try { - Method deklarertMetode = anInterface.getDeclaredMethod(method.getName(), method.getParameterTypes()); - WebMethod annotation = deklarertMetode.getAnnotation(WebMethod.class); - if (annotation != null) { - return annotation; - } - } catch (NoSuchMethodException e) { - // forventet hvis webservice arver fra flere interface - } - } - throw new IllegalArgumentException("Mangler @WebMethod-annotering i interface for " + method.getDeclaringClass() + "." + method.getName()); - } - - private static String ensureStartsWithSlash(String value) { - return value.startsWith(SLASH) ? value : SLASH + value; - } -} diff --git a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/BeskyttetRessursInterceptor.java b/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/BeskyttetRessursInterceptor.java deleted file mode 100644 index 256e3e48f..000000000 --- a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/BeskyttetRessursInterceptor.java +++ /dev/null @@ -1,173 +0,0 @@ -package no.nav.vedtak.sikkerhet.abac; - -import java.lang.reflect.InvocationTargetException; -import java.lang.reflect.Method; -import java.util.Collection; -import java.util.List; - -import javax.annotation.Priority; -import javax.enterprise.context.Dependent; -import javax.inject.Inject; -import javax.interceptor.AroundInvoke; -import javax.interceptor.Interceptor; -import javax.interceptor.InvocationContext; -import javax.jws.WebService; - -import org.jboss.weld.interceptor.util.proxy.TargetInstanceProxy; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -import no.nav.vedtak.exception.TekniskException; -import no.nav.vedtak.log.sporingslogg.Sporingsdata; -import no.nav.vedtak.util.env.Environment; - -@BeskyttetRessurs(action = BeskyttetRessursActionAttributt.DUMMY, resource = "") -@Interceptor -@Priority(Interceptor.Priority.APPLICATION + 11) -@Dependent -public class BeskyttetRessursInterceptor { - - private static final Logger LOG = LoggerFactory.getLogger(BeskyttetRessursInterceptor.class); - private final Pep pep; - private final AbacSporingslogg sporingslogg; - private final AbacAuditlogger abacAuditlogger; - private static final Environment ENV = Environment.current(); - private final TokenProvider tokenProvider; - - @Inject - public BeskyttetRessursInterceptor(Pep pep, AbacSporingslogg sporingslogg, AbacAuditlogger abacAuditlogger, TokenProvider provider) { - this.pep = pep; - this.sporingslogg = sporingslogg; - this.abacAuditlogger = abacAuditlogger; - this.tokenProvider = provider; - } - - @AroundInvoke - public Object wrapTransaction(final InvocationContext invocationContext) throws Exception { - var attributter = hentAttributter(invocationContext); - var beslutning = pep.vurderTilgang(attributter); - if (beslutning.fikkTilgang()) { - return proceed(invocationContext, attributter, beslutning); - } - return ikkeTilgang(attributter, beslutning); - } - - private Object proceed(InvocationContext invocationContext, AbacAttributtSamling attributter, Tilgangsbeslutning beslutning) throws Exception { - Method method = invocationContext.getMethod(); - boolean sporingslogges = method.getAnnotation(BeskyttetRessurs.class).sporingslogg(); - if (sporingslogges) { - if (abacAuditlogger.isEnabled()) { - abacAuditlogger.loggTilgang(tokenProvider.getUid(), beslutning.getPdpRequest(), attributter); - } - - // bygger sporingsdata før kallet til invocationContext.proceed, - // da vi heller vil ha evt. exceptions fra sporing før forretningslogikk har - // kjørt - List sporingsdata = sporingslogg.byggSporingsdata(beslutning, attributter); - Object resultat = invocationContext.proceed(); - // logger til slutt, det skal ikke logges dersom operasjonen ikke lot seg utføre - // i motsatt fall blir sporingsloggen misvisende - if (!abacAuditlogger.isEnabled()) { - sporingslogg.logg(sporingsdata); - } - return resultat; - } - return invocationContext.proceed(); - } - - private Object ikkeTilgang(AbacAttributtSamling attributter, Tilgangsbeslutning beslutning) { - if (abacAuditlogger.isEnabled()) { - final String uid = tokenProvider.getUid(); - abacAuditlogger.loggDeny(uid, beslutning.getPdpRequest(), attributter); - } else { - sporingslogg.loggDeny(beslutning, attributter); - } - - switch (beslutning.getBeslutningKode()) { - case AVSLÅTT_KODE_6: - throw new PepNektetTilgangException("F-709170", "Tilgangskontroll.Avslag.Kode6"); - case AVSLÅTT_KODE_7: - throw new PepNektetTilgangException("F-027901", "Tilgangskontroll.Avslag.Kode7"); - case AVSLÅTT_EGEN_ANSATT: - throw new PepNektetTilgangException("F-788257", "Tilgangskontroll.Avslag.EgenAnsatt"); - default: - throw new PepNektetTilgangException("F-608625", "Ikke tilgang"); - } - } - - private AbacAttributtSamling hentAttributter(InvocationContext invocationContext) { - Class clazz = getOpprinneligKlasse(invocationContext); - var method = invocationContext.getMethod(); - var attributter = clazz.getAnnotation(WebService.class) != null - ? AbacAttributtSamling.medSamlToken(tokenProvider.samlToken()) - : AbacAttributtSamling.medJwtToken(tokenProvider.userToken()); - var beskyttetRessurs = method.getAnnotation(BeskyttetRessurs.class); - attributter.setActionType(beskyttetRessurs.action()); - - if (!beskyttetRessurs.property().isEmpty()) { - var resource = ENV.getProperty(beskyttetRessurs.property()); - attributter.setResource(resource); - } else if (!beskyttetRessurs.resource().isEmpty()) { - attributter.setResource(beskyttetRessurs.resource()); - } - - attributter.setAction(utledAction(clazz, method)); - var parameterDecl = method.getParameters(); - for (int i = 0; i < method.getParameterCount(); i++) { - Object parameterValue = invocationContext.getParameters()[i]; - var tilpassetAnnotering = parameterDecl[i].getAnnotation(TilpassetAbacAttributt.class); - leggTilAttributterFraParameter(attributter, parameterValue, tilpassetAnnotering); - } - return attributter; - } - - @SuppressWarnings("rawtypes") - static void leggTilAttributterFraParameter(AbacAttributtSamling attributter, Object parameterValue, TilpassetAbacAttributt tilpassetAnnotering) { - if (tilpassetAnnotering != null) { - leggTil(attributter, tilpassetAnnotering, parameterValue); - } else { - if (parameterValue instanceof AbacDto) { // NOSONAR for å støtte både enkelt-DTO-er og collection av DTO-er - attributter.leggTil(((AbacDto) parameterValue).abacAttributter()); - } else if (parameterValue instanceof Collection) { // NOSONAR for å støtte både enkelt-DTO-er og collection av DTO-er - leggTilAbacDtoSamling(attributter, (Collection) parameterValue); - } - } - } - - private static void leggTilAbacDtoSamling(AbacAttributtSamling attributter, Collection parameterValue) { - for (Object value : parameterValue) { - if (value instanceof AbacDto) { - attributter.leggTil(((AbacDto) value).abacAttributter()); - } else { - throw new TekniskException("F-261962", - String.format("Ugyldig input forventet at samling inneholdt bare AbacDto-er, men fant %s", - value != null ? value.getClass().getName() : "null")); - } - } - } - - @SuppressWarnings("rawtypes") - private static Class getOpprinneligKlasse(InvocationContext invocationContext) { - Object target = invocationContext.getTarget(); - if (target instanceof TargetInstanceProxy) { - return ((TargetInstanceProxy) target).weld_getTargetClass(); - } - return target.getClass(); - } - - private static String utledAction(Class clazz, Method method) { - return ActionUthenter.action(clazz, method); - } - - private static void leggTil(AbacAttributtSamling attributter, TilpassetAbacAttributt tilpassetAnnotering, Object verdi) { - try { - var dataAttributter = tilpassetAnnotering.supplierClass().getDeclaredConstructor().newInstance().apply(verdi); - attributter.leggTil(dataAttributter); - } catch (NoSuchMethodException | IllegalAccessException | InstantiationException e) { - throw new IllegalStateException(e); - } catch (InvocationTargetException e) { - throw new IllegalStateException(e.getCause()); - } - } - -} diff --git a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/DefaultAbacSporingslogg.java b/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/DefaultAbacSporingslogg.java deleted file mode 100644 index 0f34936bd..000000000 --- a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/DefaultAbacSporingslogg.java +++ /dev/null @@ -1,225 +0,0 @@ -package no.nav.vedtak.sikkerhet.abac; - -import java.util.ArrayList; -import java.util.Collection; -import java.util.List; -import java.util.Optional; - -import javax.enterprise.context.ApplicationScoped; -import javax.enterprise.inject.Default; - -import org.slf4j.Logger; - -import no.nav.vedtak.log.sporingslogg.Sporingsdata; -import no.nav.vedtak.log.sporingslogg.SporingsloggId; -import no.nav.vedtak.log.sporingslogg.StandardSporingsloggId; -import no.nav.vedtak.log.util.LoggerUtils; -import no.nav.vedtak.util.AppLoggerFactory; - -/** - * Default eksempel på AbacSporingslogg implementasjon. Vil benyttes med mindre - * applikasjonen definerer en {@link javax.enterprise.inject.Alternative} - * implementasjon. - * - * Bør overrides i egen applikasjon dersom en har egne ABAC attributter eller - * nøkler som skal spores. Her håndteres kun felles som - * {@link NavAbacCommonAttributter} og {@link StandardSporingsloggId}. - * Outputformat konsumeres av MF ArcSight. - */ -@Default -@ApplicationScoped -public class DefaultAbacSporingslogg implements AbacSporingslogg { - - private static final Logger SPORINGSLOGG = AppLoggerFactory.getSporingLogger(DefaultAbacSporingslogg.class); - - private static final char SPACE_SEPARATOR = ' '; - - private static List utvidSporingsdata(List input, Collection attributtVerdier, SporingsloggId id) { - if (attributtVerdier.isEmpty()) { - return input; - } - List output = new ArrayList<>(); - for (Sporingsdata sporingsdata : input) { - int i = 1; - for (T attributtVerdi : attributtVerdier) { - Sporingsdata sd = i++ < attributtVerdier.size() - ? sporingsdata.kopi() - : sporingsdata; - output.add(sd.leggTilId(id, attributtVerdi.toString())); - } - } - return output; - } - - @Override - public List byggSporingsdata(Tilgangsbeslutning beslutning, AbacAttributtSamling attributter) { - return byggSporingsdata(beslutning.getPdpRequest(), attributter); - } - - @Override - public void logg(List sporingsdata) { - for (Sporingsdata sporingsdatum : sporingsdata) { - logg(sporingsdatum); - } - } - - @Override - public void loggDeny(Tilgangsbeslutning beslutning, AbacAttributtSamling attributter) { - loggDeny(beslutning.getPdpRequest(), beslutning.getDelbeslutninger(), attributter); - } - - private static int antallSporingsrader(AbacAttributtSamling attributter) { - return attributter.kryssProduktAntallAttributter(); - } - - private static List byggIkkeSammensatteSporingsdata(AbacAttributtSamling attributter, List pdpRequestSporingsdata) { - // egne linjer, for å unngå store kryssprodukter - List resultat = new ArrayList<>(); - resultat.addAll(pdpRequestSporingsdata); - resultat.addAll(leggPåAttributter(Sporingsdata.opprett(attributter.getAction()), attributter)); - return resultat; - } - - private static List byggSammensattSporingsdata(AbacAttributtSamling attributter, List pdpRequestSporingsdata) { - // logg på samme linje(r) - List resultat = new ArrayList<>(); - for (Sporingsdata sporingsdatum : pdpRequestSporingsdata) { - resultat.addAll(leggPåAttributter(sporingsdatum, attributter)); - } - return resultat; - } - - private List byggSporingsdata(PdpRequest pdpRequest, AbacAttributtSamling attributter) { - int antallRaderFraPdpRequest = antallResources(pdpRequest); - List pdpRequestSporingsdata = new ArrayList<>(); - for (int i = 0; i < antallRaderFraPdpRequest; i++) { - pdpRequestSporingsdata.add(byggSporingsdata(attributter.getAction(), pdpRequest, i)); - } - - int antallRaderFraAttributter = antallSporingsrader(attributter); - return antallRaderFraAttributter == 1 || antallRaderFraPdpRequest == 1 - ? byggSammensattSporingsdata(attributter, pdpRequestSporingsdata) - : byggIkkeSammensatteSporingsdata(attributter, pdpRequestSporingsdata); - } - - private Sporingsdata byggSporingsdata(String action, PdpRequest pdpRequest, int index, Decision decision) { - return byggSporingsdata(action, pdpRequest, index).leggTilId(StandardSporingsloggId.ABAC_DECISION, decision.getEksternKode()); - } - - private static String fjernMellomrom(String verdi) { - return verdi != null ? verdi.replace(' ', '_') : null; - } - - private static List leggPåAttributter(Sporingsdata original, AbacAttributtSamling attributter) { - List sporingsdata = new ArrayList<>(); - sporingsdata.add(original); - - for (var attrib : attributter.keySet()) { - sporingsdata = utvidSporingsdata(sporingsdata, attributter.getVerdier(attrib), attrib); - } - - return sporingsdata; - } - - private static void logg(Sporingsdata sporingsdata) { - StringBuilder msg = new StringBuilder() - .append("action=").append(sporingsdata.getAction()).append(SPACE_SEPARATOR); - for (var entry : sporingsdata.entrySet()) { - String nøkkel = entry.getKey(); - String verdi = entry.getValue(); - msg.append(nøkkel) - .append('=') - .append(fjernMellomrom(verdi)) - .append(SPACE_SEPARATOR); - } - String sanitizedMsg = LoggerUtils.toStringWithoutLineBreaks(msg); - SPORINGSLOGG.info(sanitizedMsg); - } - - /** Antall identer (aktørId, fnr) som behandles i denne requesten. */ - protected int antallIdenter(PdpRequest pdpRequest) { - return pdpRequest.getAntall(no.nav.vedtak.sikkerhet.abac.NavAbacCommonAttributter.RESOURCE_FELLES_PERSON_AKTOERID_RESOURCE) - + pdpRequest.getAntall(no.nav.vedtak.sikkerhet.abac.NavAbacCommonAttributter.RESOURCE_FELLES_PERSON_FNR); - } - - protected int antallResources(PdpRequest pdpRequest) { - int antallIdenter = antallIdenter(pdpRequest); - int antallResources = getAntallResources(pdpRequest); - return Math.max(1, antallIdenter) * Math.max(1, antallResources); - } - - protected Sporingsdata byggSporingsdata(String action, PdpRequest pdpRequest, int index) { - Sporingsdata sporingsdata = Sporingsdata.opprett(action) - .leggTilId(StandardSporingsloggId.ABAC_ACTION, - pdpRequest.getString(no.nav.vedtak.sikkerhet.abac.NavAbacCommonAttributter.XACML10_ACTION_ACTION_ID)) - .leggTilId(StandardSporingsloggId.ABAC_RESOURCE_TYPE, - pdpRequest.getString(no.nav.vedtak.sikkerhet.abac.NavAbacCommonAttributter.RESOURCE_FELLES_RESOURCE_TYPE)); - - // hent ut fnr og aksjonpspunkt-typer vha indexer pga kryssprodukt mellom disse - setOptionalListValueinAttributeSet(sporingsdata, pdpRequest, no.nav.vedtak.sikkerhet.abac.NavAbacCommonAttributter.RESOURCE_FELLES_PERSON_FNR, - index % Math.max(pdpRequest.getAntall(no.nav.vedtak.sikkerhet.abac.NavAbacCommonAttributter.RESOURCE_FELLES_PERSON_FNR), 1), - StandardSporingsloggId.FNR); - - setOptionalListValueinAttributeSet(sporingsdata, pdpRequest, - no.nav.vedtak.sikkerhet.abac.NavAbacCommonAttributter.RESOURCE_FELLES_PERSON_AKTOERID_RESOURCE, - index % Math.max(pdpRequest.getAntall(no.nav.vedtak.sikkerhet.abac.NavAbacCommonAttributter.RESOURCE_FELLES_PERSON_AKTOERID_RESOURCE), - 1), - StandardSporingsloggId.AKTOR_ID); - - setCustomSporingsdata(pdpRequest, index, sporingsdata); - return sporingsdata; - } - - /** - * Eks. antall akjonspunkter, mottate dokumenter, el. som behandles i denne - * requesten. - */ - protected int getAntallResources(@SuppressWarnings("unused") PdpRequest pdpRequest) { - return 1; // default - override etter behov - } - - protected void loggDeny(PdpRequest pdpRequest, List decisions, AbacAttributtSamling attributter) { - List pdpRequestSporingsdata = new ArrayList<>(); - for (int i = 0; i < decisions.size(); i++) { - if (decisions.get(i) == Decision.Deny) { - pdpRequestSporingsdata.add(byggSporingsdata(attributter.getAction(), pdpRequest, i, decisions.get(i))); - } - } - - List sporingsdata = byggSammensattSporingsdata(attributter, pdpRequestSporingsdata); - logg(sporingsdata); - } - - protected void loggTilgang(AbacAttributtSamling attributter) { - loggTilgang(new PdpRequest(), attributter); - } - - protected void loggTilgang(PdpRequest pdpRequest, AbacAttributtSamling attributter) { - List sporingsdata = byggSporingsdata(pdpRequest, attributter); - logg(sporingsdata); - } - - @SuppressWarnings("unused") - protected void setCustomSporingsdata(PdpRequest pdpRequest, int index, Sporingsdata sporingsdata) { - // Template method - - // bruk følgende til å legge til sporingsdata egne attributter - // setOptionalListValueinAttributeSet - // setOptionalValueinAttributeSet - - } - - /** Hjelpe metode for å legge til sporingsdata. */ - protected void setOptionalListValueinAttributeSet(Sporingsdata sporingsdata, PdpRequest pdpRequest, String key, int index, SporingsloggId id) { - List list = pdpRequest.getListOfString(key); - if (list.size() >= index + 1) { - Optional.ofNullable(list.get(index)).ifPresent(s -> sporingsdata.leggTilId(id, s)); - } - } - - /** Hjelpe metode for å legge til sporingsdata. */ - protected void setOptionalValueinAttributeSet(Sporingsdata sporingsdata, PdpRequest pdpRequest, String key, SporingsloggId id) { - pdpRequest.getOptional(key).ifPresent(s -> sporingsdata.leggTilId(id, s)); - } - -} diff --git a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/JaasTokenProvider.java b/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/JaasTokenProvider.java deleted file mode 100644 index a157321ca..000000000 --- a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/JaasTokenProvider.java +++ /dev/null @@ -1,8 +0,0 @@ -package no.nav.vedtak.sikkerhet.abac; - -import javax.enterprise.context.Dependent; - -@Dependent -public class JaasTokenProvider implements TokenProvider { - -} diff --git a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/NavAbacCommonAttributter.java b/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/NavAbacCommonAttributter.java deleted file mode 100644 index a38422547..000000000 --- a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/NavAbacCommonAttributter.java +++ /dev/null @@ -1,25 +0,0 @@ -package no.nav.vedtak.sikkerhet.abac; - -/** - * Inneholder subset av konstanter deklareret i aba-common-attributter modul i - * Nav. - * - * @see abac-common-attributes-alfa / CommonAttributter. - */ -public class NavAbacCommonAttributter { - - public static final String ENVIRONMENT_FELLES_TOKENX_TOKEN_BODY = "no.nav.abac.attributter.environment.felles.tokenx_token_body"; - public static final String ENVIRONMENT_FELLES_SAML_TOKEN = "no.nav.abac.attributter.environment.felles.saml_token"; - public static final String ENVIRONMENT_FELLES_OIDC_TOKEN_BODY = "no.nav.abac.attributter.environment.felles.oidc_token_body"; - public static final String ENVIRONMENT_FELLES_PEP_ID = "no.nav.abac.attributter.environment.felles.pep_id"; - public static final String RESOURCE_FELLES_RESOURCE_TYPE = "no.nav.abac.attributter.resource.felles.resource_type"; - public static final String RESOURCE_FELLES_DOMENE = "no.nav.abac.attributter.resource.felles.domene"; - public static final String RESOURCE_FELLES_PERSON_NAVN = "no.nav.abac.attributter.resource.felles.person.navn"; - public static final String XACML10_ACTION_ACTION_ID = "urn:oasis:names:tc:xacml:1.0:action:action-id"; - public static final String RESOURCE_FELLES_PERSON_FNR = "no.nav.abac.attributter.resource.felles.person.fnr"; - public static final String RESOURCE_FELLES_PERSON_AKTOERID_RESOURCE = "no.nav.abac.attributter.resource.felles.person.aktoerId_resource"; - public static final String XACML10_SUBJECT_ID = "urn:oasis:names:tc:xacml:1.0:subject:subject-id"; - public static final String SUBJECT_TYPE = "no.nav.abac.attributter.subject.felles.subjectType"; - public static final String SUBJECT_LEVEL = "no.nav.abac.attributter.subject.felles.authenticationLevel"; - -} diff --git a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/PdpKlient.java b/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/PdpKlient.java deleted file mode 100644 index 2ffd40b87..000000000 --- a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/PdpKlient.java +++ /dev/null @@ -1,12 +0,0 @@ -package no.nav.vedtak.sikkerhet.abac; - -public interface PdpKlient { - - /** - * Key i PdpRequest hvor token informasjon ligger. - */ - String ENVIRONMENT_AUTH_TOKEN = "no.nav.vedtak.sikkerhet.pdp.AbacIdToken"; - - Tilgangsbeslutning forespørTilgang(PdpRequest pdpRequest); - -} diff --git a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/PdpRequest.java b/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/PdpRequest.java deleted file mode 100644 index 4ba6b7152..000000000 --- a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/PdpRequest.java +++ /dev/null @@ -1,62 +0,0 @@ -package no.nav.vedtak.sikkerhet.abac; - -import java.util.ArrayList; -import java.util.Collection; -import java.util.Collections; -import java.util.HashMap; -import java.util.List; -import java.util.Map; -import java.util.Objects; -import java.util.Optional; - -public class PdpRequest { - - private final Map attributeMap; - - public PdpRequest() { - this(new HashMap<>()); - } - - PdpRequest(Map attributeMap) { - this.attributeMap = attributeMap; - } - - public void put(String key, Object value) { - Objects.requireNonNull(key, "Key must not be null"); - attributeMap.put(key, value); - } - - public Object get(String key) { - Objects.requireNonNull(key, "Key must not be null"); - return attributeMap.get(key); - } - - public String getString(String key) { - Objects.requireNonNull(key, "Key must not be null"); - return (String) attributeMap.get(key); - } - - public Optional getOptional(String key) { - Objects.requireNonNull(key, "Key must not be null"); - return Optional.ofNullable(attributeMap.get(key)).map(String::valueOf); - } - - @SuppressWarnings("unchecked") - public List getListOfString(String key) { - Objects.requireNonNull(key, "Key must not be null"); - if (attributeMap.containsKey(key)) { - return new ArrayList<>((Collection) attributeMap.get(key)); - } - return Collections.emptyList(); - } - - public int getAntall(String key) { - return getListOfString(key).size(); - } - - @Override - public String toString() { - return getClass().getSimpleName() + " [attributeMap=" + attributeMap + "]"; - } - -} diff --git a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/PdpRequestBuilder.java b/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/PdpRequestBuilder.java deleted file mode 100644 index b22ebf894..000000000 --- a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/PdpRequestBuilder.java +++ /dev/null @@ -1,5 +0,0 @@ -package no.nav.vedtak.sikkerhet.abac; - -public interface PdpRequestBuilder { - PdpRequest lagPdpRequest(AbacAttributtSamling attributter); -} diff --git a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/Pep.java b/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/Pep.java deleted file mode 100644 index 3bf12e397..000000000 --- a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/Pep.java +++ /dev/null @@ -1,6 +0,0 @@ -package no.nav.vedtak.sikkerhet.abac; - -public interface Pep { - - Tilgangsbeslutning vurderTilgang(AbacAttributtSamling attributter); -} diff --git a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/PepImpl.java b/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/PepImpl.java deleted file mode 100644 index ecbda65cd..000000000 --- a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/PepImpl.java +++ /dev/null @@ -1,112 +0,0 @@ -package no.nav.vedtak.sikkerhet.abac; - -import static no.nav.vedtak.sikkerhet.abac.AbacResultat.AVSLÅTT_ANNEN_ÅRSAK; -import static no.nav.vedtak.sikkerhet.abac.AbacResultat.GODKJENT; -import static no.nav.vedtak.sikkerhet.abac.Decision.Deny; -import static no.nav.vedtak.sikkerhet.abac.Decision.Permit; -import static no.nav.vedtak.sikkerhet.abac.NavAbacCommonAttributter.RESOURCE_FELLES_PERSON_AKTOERID_RESOURCE; -import static no.nav.vedtak.sikkerhet.abac.NavAbacCommonAttributter.RESOURCE_FELLES_PERSON_FNR; - -import java.util.ArrayList; -import java.util.List; -import java.util.Set; - -import javax.enterprise.context.ApplicationScoped; -import javax.enterprise.inject.Default; -import javax.inject.Inject; - -import no.nav.vedtak.konfig.KonfigVerdi; - -@Default -@ApplicationScoped -public class PepImpl implements Pep { - private final static String PIP = "pip.tjeneste.kan.kun.kalles.av.pdp.servicebruker"; - - private PdpKlient pdpKlient; - private PdpRequestBuilder builder; - - private Set pipUsers; - private AbacSporingslogg sporingslogg; - private TokenProvider tokenProvider; - - public PepImpl() { - } - - @Inject - public PepImpl(PdpKlient pdpKlient, - TokenProvider tokenProvider, - PdpRequestBuilder pdpRequestBuilder, - AbacSporingslogg sporingslogg, - @KonfigVerdi(value = "pip.users", required = false) String pipUsers) { - this.pdpKlient = pdpKlient; - this.builder = pdpRequestBuilder; - this.sporingslogg = sporingslogg; - this.tokenProvider = tokenProvider; - this.pipUsers = konfigurePipUsers(pipUsers); - } - - protected Set konfigurePipUsers(String pipUsers) { - if (pipUsers != null) { - return Set.of(pipUsers.toLowerCase().split(",")); - } - return Set.of(); - } - - @Override - public Tilgangsbeslutning vurderTilgang(AbacAttributtSamling attributter) { - var pdpRequest = builder.lagPdpRequest(attributter); - - if (PIP.equals(attributter.getResource())) { - return vurderTilgangTilPipTjeneste(pdpRequest, attributter); - } - return pdpKlient.forespørTilgang(pdpRequest); - } - - protected Tilgangsbeslutning vurderTilgangTilPipTjeneste(PdpRequest pdpRequest, AbacAttributtSamling attributter) { - String uid = tokenProvider.getUid(); - if (pipUsers.contains(uid.toLowerCase())) { - return lagPipPermit(pdpRequest); - } - var tilgangsbeslutning = lagPipDeny(pdpRequest); - sporingslogg.loggDeny(tilgangsbeslutning, attributter); - return tilgangsbeslutning; - } - - protected Tilgangsbeslutning lagPipPermit(PdpRequest pdpRequest) { - int antallResources = antallResources(pdpRequest); - var decisions = lagDecisions(antallResources, Permit); - return new Tilgangsbeslutning(GODKJENT, decisions, pdpRequest); - } - - protected Tilgangsbeslutning lagPipDeny(PdpRequest pdpRequest) { - int antallResources = antallResources(pdpRequest); - var decisions = lagDecisions(antallResources, Deny); - return new Tilgangsbeslutning(AVSLÅTT_ANNEN_ÅRSAK, decisions, pdpRequest); - } - - protected int antallResources(PdpRequest pdpRequest) { - return Math.max(1, antallIdenter(pdpRequest)) * Math.max(1, getAntallResources(pdpRequest)); - } - - protected int antallIdenter(PdpRequest pdpRequest) { - // antall identer involvert i en request (eks. default - antall aktørId + antall - // fnr) - return pdpRequest.getAntall(RESOURCE_FELLES_PERSON_AKTOERID_RESOURCE) - + pdpRequest.getAntall(RESOURCE_FELLES_PERSON_FNR); - } - - protected int getAntallResources(@SuppressWarnings("unused") PdpRequest pdpRequest) { - // Template method. Regn evt ut antall aksjonspunkter el andre typer ressurser - // som behandles i denne requesten (hvis mer enn 1) - return 1; - } - - private List lagDecisions(int antallDecisions, Decision decision) { - List decisions = new ArrayList<>(); - for (int i = 0; i < antallDecisions; i++) { - decisions.add(decision); - } - return decisions; - } - -} diff --git a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/StandardAbacAttributtType.java b/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/StandardAbacAttributtType.java deleted file mode 100644 index 20686b4c7..000000000 --- a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/StandardAbacAttributtType.java +++ /dev/null @@ -1,62 +0,0 @@ -package no.nav.vedtak.sikkerhet.abac; - -/** - * Skal kun inneholde STANDARD ABAC attributt typer. Finner du noe nytt og lurt - * som du kun bruker i din applikasjon - lag din ege AbacAttributtType - */ -public enum StandardAbacAttributtType implements AbacAttributtType { - /** - * Fødselsnummer eller D-nummer - */ - FNR("fnr", true), - - AKTØR_ID("aktorId", true), - - /** - * GSAK-saknummer - */ - SAKSNUMMER("saksnummer"), - - BEHANDLING_ID("behandlingId"), - - DOKUMENT_DATA_ID("dokumentDataId"), - - FAGSAK_ID("fagsakId"), - - /** - * Eksternt refererbar unik UUID for Behandling. Bør brukes mot andre systemer - * istdf. BEHANDLING_ID. - */ - BEHANDLING_UUID("behandlingUuid"), - - AKSJONSPUNKT_KODE("aksjonspunktKode"), - - JOURNALPOST_ID("journalpostId"); - - private final String sporingsloggEksternKode; - private final boolean maskerOutput; - - StandardAbacAttributtType() { - this(null); - } - - StandardAbacAttributtType(String sporingsloggEksternKode) { - this(sporingsloggEksternKode, false); - } - - StandardAbacAttributtType(String sporingsloggEksternKode, boolean maskerOutput) { - this.sporingsloggEksternKode = sporingsloggEksternKode; - this.maskerOutput = maskerOutput; - } - - @Override - public String getSporingsloggKode() { - return sporingsloggEksternKode; - } - - @Override - public boolean getMaskerOutput() { - return maskerOutput; - } - -} diff --git a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/TokenProvider.java b/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/TokenProvider.java deleted file mode 100644 index e3d09cb0c..000000000 --- a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/abac/TokenProvider.java +++ /dev/null @@ -1,19 +0,0 @@ -package no.nav.vedtak.sikkerhet.abac; - -import no.nav.vedtak.sikkerhet.context.SubjectHandler; - -public interface TokenProvider { - - default String getUid() { - return SubjectHandler.getSubjectHandler().getUid(); - } - - default String userToken() { - return SubjectHandler.getSubjectHandler().getInternSsoToken(); - } - - default String samlToken() { - return SubjectHandler.getSubjectHandler().getSamlToken().getTokenAsString(); - } - -} diff --git a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/pdp/PdpConsumer.java b/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/pdp/PdpConsumer.java deleted file mode 100644 index 27265d399..000000000 --- a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/pdp/PdpConsumer.java +++ /dev/null @@ -1,8 +0,0 @@ -package no.nav.vedtak.sikkerhet.pdp; - -import no.nav.vedtak.sikkerhet.pdp.xacml.XacmlRequestBuilder; -import no.nav.vedtak.sikkerhet.pdp.xacml.XacmlResponseWrapper; - -public interface PdpConsumer { - XacmlResponseWrapper evaluate(XacmlRequestBuilder request); -} diff --git a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/pdp/PdpKlientImpl.java b/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/pdp/PdpKlientImpl.java deleted file mode 100644 index c024251a6..000000000 --- a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/pdp/PdpKlientImpl.java +++ /dev/null @@ -1,145 +0,0 @@ -package no.nav.vedtak.sikkerhet.pdp; - -import static no.nav.vedtak.sikkerhet.abac.NavAbacCommonAttributter.ENVIRONMENT_FELLES_OIDC_TOKEN_BODY; -import static no.nav.vedtak.sikkerhet.abac.NavAbacCommonAttributter.ENVIRONMENT_FELLES_PEP_ID; -import static no.nav.vedtak.sikkerhet.abac.NavAbacCommonAttributter.ENVIRONMENT_FELLES_SAML_TOKEN; -import static no.nav.vedtak.sikkerhet.abac.NavAbacCommonAttributter.ENVIRONMENT_FELLES_TOKENX_TOKEN_BODY; -import static no.nav.vedtak.util.env.Environment.NAIS_APP_NAME; - -import java.nio.charset.StandardCharsets; -import java.util.Base64; -import java.util.List; - -import javax.enterprise.context.ApplicationScoped; -import javax.inject.Inject; - -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -import no.nav.vedtak.exception.TekniskException; -import no.nav.vedtak.log.util.LoggerUtils; -import no.nav.vedtak.sikkerhet.abac.AbacIdToken; -import no.nav.vedtak.sikkerhet.abac.AbacResultat; -import no.nav.vedtak.sikkerhet.abac.Decision; -import no.nav.vedtak.sikkerhet.abac.PdpKlient; -import no.nav.vedtak.sikkerhet.abac.PdpRequest; -import no.nav.vedtak.sikkerhet.abac.Tilgangsbeslutning; -import no.nav.vedtak.sikkerhet.oidc.JwtUtil; -import no.nav.vedtak.sikkerhet.pdp.xacml.Advice; -import no.nav.vedtak.sikkerhet.pdp.xacml.BiasedDecisionResponse; -import no.nav.vedtak.sikkerhet.pdp.xacml.XacmlAttributeSet; -import no.nav.vedtak.sikkerhet.pdp.xacml.XacmlRequestBuilder; -import no.nav.vedtak.sikkerhet.pdp.xacml.XacmlResponseWrapper; -import no.nav.vedtak.util.env.Environment; - -@ApplicationScoped -public class PdpKlientImpl implements PdpKlient { - - private static final Environment ENV = Environment.current(); - private static final Logger LOG = LoggerFactory.getLogger(PdpKlientImpl.class); - private XacmlRequestBuilderTjeneste xamlRequestBuilderTjeneste; - - private PdpConsumer pdp; - - public PdpKlientImpl() { - } - - @Inject - public PdpKlientImpl(PdpConsumer pdp, XacmlRequestBuilderTjeneste xamlRequestBuilderTjeneste) { - this.pdp = pdp; - this.xamlRequestBuilderTjeneste = xamlRequestBuilderTjeneste; - } - - @Override - public Tilgangsbeslutning forespørTilgang(PdpRequest req) { - var builder = xamlRequestBuilderTjeneste.lagXacmlRequestBuilder(req); - leggPåTokenInformasjon(builder, req); - var response = pdp.evaluate(builder); - var hovedresultat = resultatFraResponse(evaluateWithBias(response)); - return new Tilgangsbeslutning(hovedresultat, response.getDecisions(), req); - } - - static void leggPåTokenInformasjon(XacmlRequestBuilder builder, PdpRequest req) { - var attrs = new XacmlAttributeSet(); - attrs.addAttribute(ENVIRONMENT_FELLES_PEP_ID, getPepId()); - var idToken = AbacIdToken.class.cast(req.get(ENVIRONMENT_AUTH_TOKEN)); - switch (idToken.getTokenType()) { - case OIDC: - String key = ENVIRONMENT_FELLES_OIDC_TOKEN_BODY; - LOG.trace("Legger ved token med type oidc på {}", key); - attrs.addAttribute(key, JwtUtil.getJwtBody(idToken.getToken())); - break; - case TOKENX: - String keyX = ENVIRONMENT_FELLES_TOKENX_TOKEN_BODY; - LOG.trace("Legger IKKE ved token med type tokenX på {}", keyX); - // attrs.addAttribute(keyX, JwtUtil.getJwtBody(idToken.getToken())); - break; - case SAML: - LOG.trace("Legger på token med type saml"); - attrs.addAttribute(ENVIRONMENT_FELLES_SAML_TOKEN, base64encode(idToken.getToken())); - break; - } - - builder.addEnvironmentAttributeSet(attrs); - } - - private static String base64encode(String samlToken) { - return Base64.getEncoder().encodeToString(samlToken.getBytes(StandardCharsets.UTF_8)); - } - - private static AbacResultat resultatFraResponse(BiasedDecisionResponse response) { - if (response.getBiasedDecision() == Decision.Permit) { - return AbacResultat.GODKJENT; - } - var denyAdvice = response.getXacmlResponse().getAdvice(); - - if (LOG.isDebugEnabled()) { - LOG.debug("Deny fra PDP, advice var: " + LoggerUtils.toStringWithoutLineBreaks(denyAdvice)); - } - if (denyAdvice.contains(Advice.DENY_KODE_6)) { - return AbacResultat.AVSLÅTT_KODE_6; - } - if (denyAdvice.contains(Advice.DENY_KODE_7)) { - return AbacResultat.AVSLÅTT_KODE_7; - } - if (denyAdvice.contains(Advice.DENY_EGEN_ANSATT)) { - return AbacResultat.AVSLÅTT_EGEN_ANSATT; - } - return AbacResultat.AVSLÅTT_ANNEN_ÅRSAK; - } - - private static BiasedDecisionResponse evaluateWithBias(XacmlResponseWrapper response) { - var decisions = response.getDecisions(); - - for (var decision : decisions) { - if (decision == Decision.Indeterminate) { - throw new TekniskException("F-080281", - String.format("Decision %s fra PDP, dette skal aldri skje. Full JSON response: %s", decision, response)); - } - } - - var biasedDecision = createAggregatedDecision(decisions); - var decisionResponse = new BiasedDecisionResponse(biasedDecision, response); - handlObligation(decisionResponse); - return decisionResponse; - } - - private static Decision createAggregatedDecision(List decisions) { - for (var decision : decisions) { - if (decision != Decision.Permit) - return Decision.Deny; - } - return Decision.Permit; - } - - private static void handlObligation(BiasedDecisionResponse response) { - var obligations = response.getXacmlResponse().getObligations(); - if (!obligations.isEmpty()) { - throw new TekniskException("F-576027", String.format("Mottok ukjente obligations fra PDP: %s", obligations)); - } - } - - private static String getPepId() { - return ENV.getProperty(NAIS_APP_NAME, "local-app"); - } -} diff --git a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/pdp/XacmlRequestBuilderTjeneste.java b/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/pdp/XacmlRequestBuilderTjeneste.java deleted file mode 100644 index cd55435ec..000000000 --- a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/pdp/XacmlRequestBuilderTjeneste.java +++ /dev/null @@ -1,15 +0,0 @@ -package no.nav.vedtak.sikkerhet.pdp; - -import no.nav.vedtak.sikkerhet.abac.PdpRequest; -import no.nav.vedtak.sikkerhet.pdp.xacml.XacmlRequestBuilder; - -public interface XacmlRequestBuilderTjeneste { - /** - * Legger på de attributter som trengs for vurdering av abac-policy - * - * @param pdpRequest attributter som systemet har plukket ut som relevant for - * requestet - * @return XacmlRequestBuilder - */ - XacmlRequestBuilder lagXacmlRequestBuilder(PdpRequest req); -} diff --git a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/pdp/jaxrs/BasicAuthFilter.java b/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/pdp/jaxrs/BasicAuthFilter.java deleted file mode 100644 index 2ef7512b5..000000000 --- a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/pdp/jaxrs/BasicAuthFilter.java +++ /dev/null @@ -1,37 +0,0 @@ -package no.nav.vedtak.sikkerhet.pdp.jaxrs; - -import static java.nio.charset.Charset.defaultCharset; -import static java.util.Base64.getEncoder; - -import java.io.IOException; - -import javax.annotation.Priority; -import javax.enterprise.context.Dependent; -import javax.ws.rs.Priorities; -import javax.ws.rs.client.ClientRequestContext; -import javax.ws.rs.client.ClientRequestFilter; -import javax.ws.rs.ext.Provider; - -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -import no.nav.vedtak.konfig.KonfigVerdi; - -@Dependent -@Provider -@Priority(Priorities.AUTHENTICATION) -public class BasicAuthFilter implements ClientRequestFilter { - - private static final Logger LOG = LoggerFactory.getLogger(BasicAuthFilter.class); - private final String header; - - public BasicAuthFilter(@KonfigVerdi("systembruker.username") String user, @KonfigVerdi("systembruker.password") String pw) { - header = getEncoder().encodeToString((user + ":" + pw).getBytes(defaultCharset())); - } - - @Override - public void filter(ClientRequestContext requestContext) throws IOException { - requestContext.getHeaders().add("Authorization", "Basic " + header); - LOG.debug("Added Authorization header"); - } -} diff --git a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/pdp/xacml/Advice.java b/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/pdp/xacml/Advice.java deleted file mode 100644 index 37469ec18..000000000 --- a/felles/sikkerhet/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/pdp/xacml/Advice.java +++ /dev/null @@ -1,8 +0,0 @@ -package no.nav.vedtak.sikkerhet.pdp.xacml; - -public enum Advice { - DENY_KODE_6, - DENY_KODE_7, - DENY_EGEN_ANSATT; - -} diff --git a/felles/sikkerhet/sikkerhet/src/test/java/no/nav/vedtak/sikkerhet/abac/AbacSporingsloggTest.java b/felles/sikkerhet/sikkerhet/src/test/java/no/nav/vedtak/sikkerhet/abac/AbacSporingsloggTest.java deleted file mode 100644 index 5c6f1a74b..000000000 --- a/felles/sikkerhet/sikkerhet/src/test/java/no/nav/vedtak/sikkerhet/abac/AbacSporingsloggTest.java +++ /dev/null @@ -1,209 +0,0 @@ -package no.nav.vedtak.sikkerhet.abac; - -import static no.nav.vedtak.log.util.MemoryAppender.sniff; -import static no.nav.vedtak.sikkerhet.abac.NavAbacCommonAttributter.RESOURCE_FELLES_PERSON_FNR; -import static no.nav.vedtak.sikkerhet.abac.StandardAbacAttributtType.AKSJONSPUNKT_KODE; -import static no.nav.vedtak.sikkerhet.abac.StandardAbacAttributtType.BEHANDLING_ID; -import static no.nav.vedtak.sikkerhet.abac.StandardAbacAttributtType.SAKSNUMMER; -import static org.assertj.core.api.Assertions.assertThat; -import static org.junit.jupiter.api.Assertions.assertEquals; - -import java.util.Arrays; -import java.util.Collections; -import java.util.List; -import java.util.Map; -import java.util.TreeSet; - -import org.junit.jupiter.api.AfterEach; -import org.junit.jupiter.api.BeforeAll; -import org.junit.jupiter.api.Test; - -import no.nav.vedtak.log.util.MemoryAppender; -import no.nav.vedtak.sikkerhet.abac.AbacIdToken.TokenType; -import no.nav.vedtak.util.AppLoggerFactory; - -class AbacSporingsloggTest { - - private static MemoryAppender logSniffer; - private static DefaultAbacSporingslogg sporing; - - @BeforeAll - static void beforeAll() { - logSniffer = sniff(AppLoggerFactory.getSporingLogger(DefaultAbacSporingslogg.class)); - sporing = new DefaultAbacSporingslogg(); - - } - - @AfterEach - void afterEach() { - logSniffer.reset(); - } - - @Test - void skal_logge_fra_attributter() throws Exception { - - var attributter = AbacAttributtSamling.medJwtToken("dummy.oidc.token", TokenType.OIDC) - .setAction("foobar").leggTil(AbacDataAttributter.opprett() - .leggTil(BEHANDLING_ID, 1234L) - .leggTil(SAKSNUMMER, "SNR0001")); - - sporing.loggTilgang(attributter); - assertLogged("action=foobar abac_action=null abac_resource_type=null behandlingId=1234 saksnummer=SNR0001 "); - } - - @Test - void skal_lage_flere_rader_når_en_attributt_har_flere_verdier() throws Exception { - var attributter = AbacAttributtSamling - .medJwtToken("dummy.oidc.token", TokenType.OIDC) - .setAction("foobar") - .leggTil(AbacDataAttributter.opprett() - .leggTil(AKSJONSPUNKT_KODE, "A") - .leggTil(AKSJONSPUNKT_KODE, "B") - .leggTil(AKSJONSPUNKT_KODE, "C") - .leggTil(BEHANDLING_ID, 1234L)); - - sporing.loggTilgang(attributter); - assertEquals(3, logSniffer.countEventsForLogger()); - assertLogged("action=foobar abac_action=null abac_resource_type=null aksjonspunktKode=A behandlingId=1234 saksnummer=SNR0001 "); - assertLogged("action=foobar abac_action=null abac_resource_type=null aksjonspunktKode=B behandlingId=1234 saksnummer=SNR0001 "); - assertLogged("action=foobar abac_action=null abac_resource_type=null aksjonspunktKode=C behandlingId=1234 saksnummer=SNR0001 "); - } - - @Test - void skal_lage_kryssprodukt_når_det_er_noen_attributter_som_har_flere_verdier() throws Exception { - var attributter = AbacAttributtSamling - .medJwtToken("dummy.oidc.token", TokenType.OIDC) - .setAction("foobar") - .leggTil(AbacDataAttributter.opprett() - .leggTil(SAKSNUMMER, "SNR0001") - .leggTil(SAKSNUMMER, "SNR0002") - .leggTil(SAKSNUMMER, "SNR0003") - .leggTil(AKSJONSPUNKT_KODE, "A") - .leggTil(AKSJONSPUNKT_KODE, "B")); - - sporing.loggTilgang(new PdpRequest(), attributter); - - assertLogged("foobar abac_action=null abac_resource_type=null aksjonspunktKode=B saksnummer=SNR0001 "); - assertLogged("foobar abac_action=null abac_resource_type=null aksjonspunktKode=B saksnummer=SNR0002 "); - assertLogged("foobar abac_action=null abac_resource_type=null aksjonspunktKode=B saksnummer=SNR0003 "); - assertLogged("foobar abac_action=null abac_resource_type=null aksjonspunktKode=A saksnummer=SNR0001 "); - assertLogged("foobar abac_action=null abac_resource_type=null aksjonspunktKode=A saksnummer=SNR0002 "); - assertLogged("foobar abac_action=null abac_resource_type=null aksjonspunktKode=A saksnummer=SNR0003 "); - assertCount("action", 6); - } - - @Test - void skal_logge_fra_pdp_request() throws Exception { - var r = new PdpRequest(Map.of(RESOURCE_FELLES_PERSON_FNR, List.of("11111111111"))); - var attributter = AbacAttributtSamling - .medJwtToken("dummy.oidc.token", TokenType.OIDC) - .setAction("foobar"); - sporing.loggTilgang(r, attributter); - assertLogged("action=foobar abac_action=null abac_resource_type=null fnr=11111111111"); - assertCount("action", 1); - } - - @Test - void skal_logge_fra_pdp_request_og_attributter() throws Exception { - var r = new PdpRequest(Map.of(RESOURCE_FELLES_PERSON_FNR, List.of("11111111111"))); - var attributter = AbacAttributtSamling - .medJwtToken("dummy.oidc.token", TokenType.OIDC) - .setAction("foobar") - .leggTil(AbacDataAttributter.opprett() - .leggTil(BEHANDLING_ID, 1234L) - .leggTil(SAKSNUMMER, "SNR0001")); - - sporing.loggTilgang(r, attributter); - assertLogged("action=foobar abac_action=null abac_resource_type=null behandlingId=1234 fnr=11111111111 saksnummer=SNR0001 "); - assertCount("action", 1); - } - - @Test - void skal_sette_sammen_rader_når_det_kommer_en_rad_fra_pdp_request_og_flere_fra_attributer() throws Exception { - var r = new PdpRequest(Map.of(RESOURCE_FELLES_PERSON_FNR, Collections.singleton("11111111111"))); - var attributter = AbacAttributtSamling - .medJwtToken("dummy.oidc.token", TokenType.OIDC) - .setAction("foobar") - .leggTil(AbacDataAttributter.opprett() - .leggTil(BEHANDLING_ID, 1234L) - .leggTil(BEHANDLING_ID, 1235L) - .leggTil(BEHANDLING_ID, 1236L)); - - sporing.loggTilgang(r, attributter); - assertLogged("action=foobar abac_action=null abac_resource_type=null behandlingId=1234 fnr=11111111111"); - assertLogged("action=foobar abac_action=null abac_resource_type=null behandlingId=1235 fnr=11111111111"); - assertLogged("action=foobar abac_action=null abac_resource_type=null behandlingId=1236 fnr=11111111111"); - assertCount("action", 3); - - } - - @Test - void skal_sette_sammen_rader_når_det_kommer_fler_rader_fra_pdp_request_og_en_fra_attributer() throws Exception { - var r = new PdpRequest(Map.of(RESOURCE_FELLES_PERSON_FNR, new TreeSet<>(Arrays.asList("11111111111", "22222222222", "33333333333")))); - var attributter = AbacAttributtSamling - .medJwtToken("dummy.oidc.token", TokenType.OIDC) - .setAction("foobar") - .leggTil(AbacDataAttributter.opprett().leggTil(BEHANDLING_ID, 1234L)); - sporing.loggTilgang(r, attributter); - assertLogged("action=foobar abac_action=null abac_resource_type=null behandlingId=1234 fnr=11111111111"); - assertLogged("action=foobar abac_action=null abac_resource_type=null behandlingId=1234 fnr=22222222222"); - assertLogged("action=foobar abac_action=null abac_resource_type=null behandlingId=1234 fnr=33333333333"); - assertCount("action", 3); - } - - @Test - void skal_ha_separate_rader_for_pdpRequest_og_attributter_når_det_er_flere_fra_hver_for_å_unngå_stort_kryssprodukt() throws Exception { - var attributter = AbacAttributtSamling - .medJwtToken("dummy.oidc.token", TokenType.OIDC) - .setAction("foobar") - .leggTil(AbacDataAttributter.opprett() - .leggTil(BEHANDLING_ID, 1234L) - .leggTil(BEHANDLING_ID, 1235L) - .leggTil(BEHANDLING_ID, 1236L)); - - sporing.loggTilgang( - new PdpRequest(Map.of(RESOURCE_FELLES_PERSON_FNR, new TreeSet<>(Arrays.asList("11111111111", "22222222222")))), attributter); - - assertLogged("action=foobar abac_action=null abac_resource_type=null fnr=11111111111 "); - assertLogged("action=foobar abac_action=null abac_resource_type=null fnr=22222222222 "); - assertLogged("action=foobar behandlingId=1234"); - assertLogged("action=foobar behandlingId=1235"); - assertLogged("action=foobar behandlingId=1236"); - assertCount("action", 5); - } - - @Test - void skal_erstatte_mellomrom_med_underscore_for_å_forenkle_parsing_av_sporingslogg() throws Exception { - - var attributter = AbacAttributtSamling - .medJwtToken("dummy.oidc.token", TokenType.OIDC) - .setAction("foobar") - .leggTil(AbacDataAttributter.opprett() - .leggTil(StandardAbacAttributtType.SAKSNUMMER, "SNR 0001")); - sporing.loggTilgang(attributter); - - assertLogged("saksnummer=SNR_0001"); - assertCount("action", 1); - } - - @Test - void skal_logge_fra_pdp_request_og_attributter_ved_deny() throws Exception { - - var pdpRequest = new PdpRequest(Map.of(RESOURCE_FELLES_PERSON_FNR, Collections.singleton("11111111111"))); - var attributter = AbacAttributtSamling - .medJwtToken("dummy.oidc.token", TokenType.OIDC) - .setAction("foobar") - .leggTil(new AbacDataAttributter().leggTil(BEHANDLING_ID, 1234L)); - sporing.loggDeny(pdpRequest, List.of(Decision.Deny), attributter); - assertLogged("action=foobar abac_action=null abac_resource_type=null behandlingId=1234 decision=Deny fnr=11111111111 "); - assertCount("action", 1); - } - - private static void assertCount(String substring, int n) { - assertThat(logSniffer.countEntries(substring)).isEqualTo(n); - } - - private static void assertLogged(String string) { - assertThat(logSniffer.searchInfo(string)).isNotNull(); - } -} diff --git a/felles/sikkerhet/sikkerhet/src/test/java/no/nav/vedtak/sikkerhet/abac/ActionUthenterTest.java b/felles/sikkerhet/sikkerhet/src/test/java/no/nav/vedtak/sikkerhet/abac/ActionUthenterTest.java deleted file mode 100644 index 5d47a4777..000000000 --- a/felles/sikkerhet/sikkerhet/src/test/java/no/nav/vedtak/sikkerhet/abac/ActionUthenterTest.java +++ /dev/null @@ -1,57 +0,0 @@ -package no.nav.vedtak.sikkerhet.abac; - -import static org.assertj.core.api.Assertions.assertThat; - -import javax.jws.WebMethod; -import javax.jws.WebService; -import javax.ws.rs.Path; - -import org.junit.jupiter.api.Test; - -class ActionUthenterTest { - - @Test - void skalLageActionForRestMethod() throws NoSuchMethodException { - assertThat(ActionUthenter.action(MyRestSvc1.class, MyRestSvc1.class.getDeclaredMethod("myRestMethod1", String.class))) - .isEqualTo("/root1/resource1"); - assertThat(ActionUthenter.action(MyRestSvc1.class, MyRestSvc1.class.getDeclaredMethod("myRestMethod2", String.class))) - .isEqualTo("/root1/resource2"); - assertThat(ActionUthenter.action(MyRestSvc1.class, MyRestSvc1.class.getDeclaredMethod("myRestMethod3", String.class))).isEqualTo("/root1"); - } - - @Test - void skal_ha_at_action_for_webservice_er_action_i_webmethod() throws Exception { - assertThat(ActionUthenter.action(MyWebService.class, MyWebService.class.getDeclaredMethod("coinToss"))) - .isEqualTo("http://foobar.com/biased/coin/toss/v1"); - } - - @Path("/root1") - static class MyRestSvc1 { - @Path("/resource1") - public void myRestMethod1(@SuppressWarnings("unused") String s) { - } - - @Path("resource2") - public void myRestMethod2(@SuppressWarnings("unused") String s) { - } - - @SuppressWarnings("unused") - public void myRestMethod3(String s) { - } - } - - @WebService - private interface MyWebServiceInterface { - @WebMethod(action = "http://foobar.com/biased/coin/toss/v1") - boolean coinToss(); - } - - @WebService - private static class MyWebService implements MyWebServiceInterface { - @Override - public boolean coinToss() { - return false; - } - } - -} diff --git a/felles/sikkerhet/sikkerhet/src/test/java/no/nav/vedtak/sikkerhet/abac/DummyRequestBuilder.java b/felles/sikkerhet/sikkerhet/src/test/java/no/nav/vedtak/sikkerhet/abac/DummyRequestBuilder.java deleted file mode 100644 index 5e41784ab..000000000 --- a/felles/sikkerhet/sikkerhet/src/test/java/no/nav/vedtak/sikkerhet/abac/DummyRequestBuilder.java +++ /dev/null @@ -1,15 +0,0 @@ -package no.nav.vedtak.sikkerhet.abac; - -import javax.annotation.Priority; -import javax.enterprise.context.Dependent; -import javax.enterprise.inject.Alternative; - -@Dependent -@Alternative -@Priority(1) -class DummyRequestBuilder implements PdpRequestBuilder { - @Override - public PdpRequest lagPdpRequest(AbacAttributtSamling attributter) { - return new PdpRequest(); - } -} diff --git a/felles/sikkerhet/sikkerhet/src/test/java/no/nav/vedtak/sikkerhet/abac/PdpRequestTest.java b/felles/sikkerhet/sikkerhet/src/test/java/no/nav/vedtak/sikkerhet/abac/PdpRequestTest.java deleted file mode 100644 index db9bb3492..000000000 --- a/felles/sikkerhet/sikkerhet/src/test/java/no/nav/vedtak/sikkerhet/abac/PdpRequestTest.java +++ /dev/null @@ -1,79 +0,0 @@ -package no.nav.vedtak.sikkerhet.abac; - -import static no.nav.vedtak.sikkerhet.abac.NavAbacCommonAttributter.RESOURCE_FELLES_PERSON_AKTOERID_RESOURCE; -import static no.nav.vedtak.sikkerhet.abac.NavAbacCommonAttributter.RESOURCE_FELLES_PERSON_FNR; -import static no.nav.vedtak.sikkerhet.abac.NavAbacCommonAttributter.RESOURCE_FELLES_PERSON_NAVN; -import static org.assertj.core.api.Assertions.assertThat; - -import java.util.LinkedHashSet; -import java.util.List; -import java.util.Optional; - -import org.junit.jupiter.api.Test; - -class PdpRequestTest { - - @Test - void skal_lage_kryssprodukt_mellom_identer() throws Exception { - PdpRequest req = new PdpRequest(); - var fnr = new LinkedHashSet<>(); - fnr.add("11111111111"); - fnr.add("22222222222"); - fnr.add("33333333333"); - fnr.add("44444444444"); - req.put(RESOURCE_FELLES_PERSON_FNR, fnr); - var aktørId = new LinkedHashSet<>(); - aktørId.add("1111"); - aktørId.add("2222"); - req.put(RESOURCE_FELLES_PERSON_AKTOERID_RESOURCE, aktørId); - - assertThat(getElementFromListByKeyAndIndex(req, RESOURCE_FELLES_PERSON_FNR, 0)) - .hasValueSatisfying(it -> assertThat(it).isEqualTo("11111111111")); - assertThat(getElementFromListByKeyAndIndex(req, RESOURCE_FELLES_PERSON_FNR, 1)) - .hasValueSatisfying(it -> assertThat(it).isEqualTo("22222222222")); - assertThat(getElementFromListByKeyAndIndex(req, RESOURCE_FELLES_PERSON_FNR, 2)) - .hasValueSatisfying(it -> assertThat(it).isEqualTo("33333333333")); - assertThat(getElementFromListByKeyAndIndex(req, RESOURCE_FELLES_PERSON_FNR, 3)) - .hasValueSatisfying(it -> assertThat(it).isEqualTo("44444444444")); - assertThat(getElementFromListByKeyAndIndex(req, RESOURCE_FELLES_PERSON_AKTOERID_RESOURCE, 0)) - .hasValueSatisfying(it -> assertThat(it).isEqualTo("1111")); - assertThat(getElementFromListByKeyAndIndex(req, RESOURCE_FELLES_PERSON_AKTOERID_RESOURCE, 1)) - .hasValueSatisfying(it -> assertThat(it).isEqualTo("2222")); - assertThat(getElementFromListByKeyAndIndex(req, RESOURCE_FELLES_PERSON_FNR, 4)).isNotPresent(); - assertThat(getElementFromListByKeyAndIndex(req, RESOURCE_FELLES_PERSON_FNR, 5)).isNotPresent(); - assertThat(getElementFromListByKeyAndIndex(req, RESOURCE_FELLES_PERSON_FNR, 6)).isNotPresent(); - assertThat(getElementFromListByKeyAndIndex(req, RESOURCE_FELLES_PERSON_FNR, 7)).isNotPresent(); - assertThat(getElementFromListByKeyAndIndex(req, RESOURCE_FELLES_PERSON_AKTOERID_RESOURCE, 2)).isNotPresent(); - assertThat(getElementFromListByKeyAndIndex(req, RESOURCE_FELLES_PERSON_AKTOERID_RESOURCE, 3)).isNotPresent(); - } - - @Test - void skal_fungere_uten_fnr() throws Exception { - PdpRequest req = new PdpRequest(); - var at = List.of("a", "b"); - req.put(RESOURCE_FELLES_PERSON_NAVN, at); - - assertThat(req.getListOfString(RESOURCE_FELLES_PERSON_FNR)).isEmpty(); - assertThat(getElementFromListByKeyAndIndex(req, RESOURCE_FELLES_PERSON_FNR, 0)).isNotPresent(); - assertThat(getElementFromListByKeyAndIndex(req, RESOURCE_FELLES_PERSON_FNR, 1)).isNotPresent(); - assertThat(getElementFromListByKeyAndIndex(req, RESOURCE_FELLES_PERSON_NAVN, 0)).hasValueSatisfying(it -> assertThat(it).isEqualTo("a")); - assertThat(getElementFromListByKeyAndIndex(req, RESOURCE_FELLES_PERSON_NAVN, 1)).hasValueSatisfying(it -> assertThat(it).isEqualTo("b")); - } - - @Test - void skal_fungere_uten_fnr_og_uten_aksjonspunkt_type() throws Exception { - PdpRequest req = new PdpRequest(); - - assertThat(getElementFromListByKeyAndIndex(req, RESOURCE_FELLES_PERSON_FNR, 0)).isNotPresent(); - assertThat(getElementFromListByKeyAndIndex(req, RESOURCE_FELLES_PERSON_NAVN, 0)).isNotPresent(); - } - - private static Optional getElementFromListByKeyAndIndex(PdpRequest pdpRequest, String key, int index) { - List list = pdpRequest.getListOfString(key); - if (list.size() >= index + 1) { - return Optional.ofNullable(list.get(index)); - } - return Optional.empty(); - } - -} diff --git a/felles/sikkerhet/sikkerhet/src/test/java/no/nav/vedtak/sikkerhet/abac/PepImplTest.java b/felles/sikkerhet/sikkerhet/src/test/java/no/nav/vedtak/sikkerhet/abac/PepImplTest.java deleted file mode 100644 index 0d6806ee3..000000000 --- a/felles/sikkerhet/sikkerhet/src/test/java/no/nav/vedtak/sikkerhet/abac/PepImplTest.java +++ /dev/null @@ -1,65 +0,0 @@ -package no.nav.vedtak.sikkerhet.abac; - -import static org.assertj.core.api.AssertionsForClassTypes.assertThat; -import static org.mockito.ArgumentMatchers.any; -import static org.mockito.Mockito.verify; -import static org.mockito.Mockito.verifyNoInteractions; -import static org.mockito.Mockito.when; - -import org.junit.jupiter.api.BeforeEach; -import org.junit.jupiter.api.Test; -import org.junit.jupiter.api.extension.ExtendWith; -import org.mockito.Mock; -import org.mockito.junit.jupiter.MockitoExtension; - -import no.nav.vedtak.sikkerhet.abac.AbacIdToken.TokenType; - -@ExtendWith(MockitoExtension.class) -class PepImplTest { - - private PepImpl pep; - @Mock - private TokenProvider provider; - @Mock - private PdpKlient pdpKlientMock; - - @BeforeEach - void setUp() { - pep = new PepImpl(pdpKlientMock, provider, new DummyRequestBuilder(), new DefaultAbacSporingslogg(), "SRVFPLOS,SRVPDP"); - } - - @Test - void skal_gi_tilgang_til_srvpdp_for_piptjeneste() { - when(provider.getUid()).thenReturn("srvpdp"); - AbacAttributtSamling attributter = AbacAttributtSamling.medJwtToken("dummy", TokenType.OIDC) - .setResource("pip.tjeneste.kan.kun.kalles.av.pdp.servicebruker") - .setAction("READ"); - - Tilgangsbeslutning permit = pep.vurderTilgang(attributter); - assertThat(permit.fikkTilgang()).isTrue(); - verifyNoInteractions(pdpKlientMock); - } - - @Test - void skal_nekte_tilgang_til_saksbehandler_for_piptjeneste() { - when(provider.getUid()).thenReturn("z142443"); - AbacAttributtSamling attributter = AbacAttributtSamling.medJwtToken("dummy", TokenType.OIDC) - .setResource("pip.tjeneste.kan.kun.kalles.av.pdp.servicebruker") - .setAction("READ"); - - Tilgangsbeslutning permit = pep.vurderTilgang(attributter); - assertThat(permit.fikkTilgang()).isFalse(); - verifyNoInteractions(pdpKlientMock); - } - - @Test - void skal_kalle_pdp_for_annet_enn_pip_tjenester() { - AbacAttributtSamling attributter = AbacAttributtSamling.medJwtToken("dummy", TokenType.OIDC) - .setResource("no.nav.abac.attributter.foreldrepenger.fagsak") - .setAction("READ"); - - @SuppressWarnings("unused") - Tilgangsbeslutning permit = pep.vurderTilgang(attributter); - verify(pdpKlientMock).forespørTilgang(any(PdpRequest.class)); - } -} diff --git a/felles/sikkerhet/sikkerhet/src/test/java/no/nav/vedtak/sikkerhet/pdp/XacmlRequestBuilderTjenesteImpl.java b/felles/sikkerhet/sikkerhet/src/test/java/no/nav/vedtak/sikkerhet/pdp/XacmlRequestBuilderTjenesteImpl.java deleted file mode 100644 index 2345be46b..000000000 --- a/felles/sikkerhet/sikkerhet/src/test/java/no/nav/vedtak/sikkerhet/pdp/XacmlRequestBuilderTjenesteImpl.java +++ /dev/null @@ -1,103 +0,0 @@ -package no.nav.vedtak.sikkerhet.pdp; - -import static no.nav.vedtak.sikkerhet.abac.NavAbacCommonAttributter.RESOURCE_FELLES_DOMENE; -import static no.nav.vedtak.sikkerhet.abac.NavAbacCommonAttributter.RESOURCE_FELLES_PERSON_AKTOERID_RESOURCE; -import static no.nav.vedtak.sikkerhet.abac.NavAbacCommonAttributter.RESOURCE_FELLES_PERSON_FNR; -import static no.nav.vedtak.sikkerhet.abac.NavAbacCommonAttributter.RESOURCE_FELLES_RESOURCE_TYPE; -import static no.nav.vedtak.sikkerhet.abac.NavAbacCommonAttributter.SUBJECT_TYPE; -import static no.nav.vedtak.sikkerhet.abac.NavAbacCommonAttributter.XACML10_ACTION_ACTION_ID; -import static no.nav.vedtak.sikkerhet.abac.NavAbacCommonAttributter.XACML10_SUBJECT_ID; - -import java.util.ArrayList; -import java.util.List; -import java.util.stream.Collectors; - -import javax.enterprise.context.Dependent; - -import no.nav.vedtak.sikkerhet.abac.PdpRequest; -import no.nav.vedtak.sikkerhet.pdp.xacml.XacmlAttributeSet; -import no.nav.vedtak.sikkerhet.pdp.xacml.XacmlRequestBuilder; -import no.nav.vedtak.util.Tuple; - -/** - * Eksemple {@link XacmlRequestBuilderTjeneste} for enhetstest. - */ -@Dependent -public class XacmlRequestBuilderTjenesteImpl implements XacmlRequestBuilderTjeneste { - - public XacmlRequestBuilderTjenesteImpl() { - } - - @Override - public XacmlRequestBuilder lagXacmlRequestBuilder(PdpRequest pdpRequest) { - XacmlRequestBuilder xacmlBuilder = new XacmlRequestBuilder(); - - XacmlAttributeSet actionAttributeSet = new XacmlAttributeSet(); - actionAttributeSet.addAttribute(XACML10_ACTION_ACTION_ID, - pdpRequest.getString(XACML10_ACTION_ACTION_ID)); - xacmlBuilder.addActionAttributeSet(actionAttributeSet); - List> identer = hentIdenter(pdpRequest, RESOURCE_FELLES_PERSON_FNR, - RESOURCE_FELLES_PERSON_AKTOERID_RESOURCE); - - if (identer.isEmpty()) { - populerResources(xacmlBuilder, pdpRequest, null); - } else { - for (Tuple ident : identer) { - populerResources(xacmlBuilder, pdpRequest, ident); - } - } - - populerSubjects(pdpRequest, xacmlBuilder); - - return xacmlBuilder; - } - - private void populerSubjects(PdpRequest pdpRequest, XacmlRequestBuilder xacmlBuilder) { - var attrs = new XacmlAttributeSet(); - var found = false; - - if (pdpRequest.get(XACML10_SUBJECT_ID) != null) { - attrs.addAttribute(XACML10_SUBJECT_ID, pdpRequest.getString(XACML10_SUBJECT_ID)); - found = true; - } - if (pdpRequest.get(SUBJECT_TYPE) != null) { - attrs.addAttribute(SUBJECT_TYPE, pdpRequest.getString(SUBJECT_TYPE)); - found = true; - } - if (found) { - xacmlBuilder.addSubjectAttributeSet(attrs); - } - } - - protected void populerResources(XacmlRequestBuilder xacmlBuilder, PdpRequest pdpRequest, Tuple ident) { - var attributter = byggRessursAttributter(pdpRequest); - if (ident != null) { - attributter.addAttribute(ident.getElement1(), ident.getElement2()); - } - xacmlBuilder.addResourceAttributeSet(attributter); - } - - protected XacmlAttributeSet byggRessursAttributter(PdpRequest pdpRequest) { - var resourceAttributeSet = new XacmlAttributeSet(); - - resourceAttributeSet.addAttribute(RESOURCE_FELLES_DOMENE, - pdpRequest.getString(RESOURCE_FELLES_DOMENE)); - - resourceAttributeSet.addAttribute(RESOURCE_FELLES_RESOURCE_TYPE, - pdpRequest.getString(RESOURCE_FELLES_RESOURCE_TYPE)); - - return resourceAttributeSet; - } - - protected void setOptionalValueinAttributeSet(XacmlAttributeSet resourceAttributeSet, PdpRequest pdpRequest, String key) { - pdpRequest.getOptional(key).ifPresent(s -> resourceAttributeSet.addAttribute(key, s)); - } - - private static List> hentIdenter(PdpRequest pdpRequest, String... identNøkler) { - List> identer = new ArrayList<>(); - for (String key : identNøkler) { - identer.addAll(pdpRequest.getListOfString(key).stream().map(it -> new Tuple<>(key, it)).collect(Collectors.toList())); - } - return identer; - } -} diff --git a/felles/sikkerhet/sikkerhet/src/test/resources/request.json b/felles/sikkerhet/sikkerhet/src/test/resources/request.json new file mode 100644 index 000000000..fceed37a1 --- /dev/null +++ b/felles/sikkerhet/sikkerhet/src/test/resources/request.json @@ -0,0 +1,90 @@ +{ + "Request": { + "Resource": [ + { + "Attribute": [ + { + "AttributeId": "no.nav.abac.attributter.resource.felles.domene", + "Value": "foreldrepenger" + }, + { + "AttributeId": "no.nav.abac.attributter.resource.felles.resource_type", + "Value": "no.nav.abac.attributter.foreldrepenger.fagsak" + }, + { + "AttributeId": "no.nav.abac.attributter.resource.felles.person.aktoerId_resource", + "Value": "11111" + } + ] + }, + { + "Attribute": [ + { + "AttributeId": "no.nav.abac.attributter.resource.felles.domene", + "Value": "foreldrepenger" + }, + { + "AttributeId": "no.nav.abac.attributter.resource.felles.resource_type", + "Value": "no.nav.abac.attributter.foreldrepenger.fagsak" + }, + { + "AttributeId": "no.nav.abac.attributter.resource.felles.person.aktoerId_resource", + "Value": "22222" + } + ] + }, + { + "Attribute": [ + { + "AttributeId": "no.nav.abac.attributter.resource.felles.domene", + "Value": "foreldrepenger" + }, + { + "AttributeId": "no.nav.abac.attributter.resource.felles.resource_type", + "Value": "no.nav.abac.attributter.foreldrepenger.fagsak" + }, + { + "AttributeId": "no.nav.abac.attributter.resource.felles.person.fnr", + "Value": "12345678900" + } + ] + } + ], + "Action": { + "Attribute": [ + { + "AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id", + "Value": "read" + } + ] + }, + "Environment": { + "Attribute": [ + { + "AttributeId": "no.nav.abac.attributter.environment.felles.pep_id", + "Value": "local-app" + }, + { + "AttributeId": "no.nav.abac.attributter.environment.felles.oidc_token_body", + "Value": "eyAiYXRfaGFzaCI6ICIyb2c1RGk5ZW9LeFhOa3VPd0dvVUdBIiwgInN1YiI6ICJzMTQyNDQzIiwgImF1ZGl0VHJhY2tpbmdJZCI6ICI1NTM0ZmQ4ZS03MmE2LTRhMWQtOWU5YS1iZmEzYThhMTljMDUtNjE2NjA2NyIsICJpc3MiOiAiaHR0cHM6Ly9pc3NvLXQuYWRlby5ubzo0NDMvaXNzby9vYXV0aDIiLCAidG9rZW5OYW1lIjogImlkX3Rva2VuIiwgImF1ZCI6ICJPSURDIiwgImNfaGFzaCI6ICJiVWYzcU5CN3dTdi0wVlN0bjhXLURnIiwgIm9yZy5mb3JnZXJvY2sub3BlbmlkY29ubmVjdC5vcHMiOiAiMTdhOGZiMzYtMGI0Ny00YzRkLWE4YWYtZWM4Nzc3Y2MyZmIyIiwgImF6cCI6ICJPSURDIiwgImF1dGhfdGltZSI6IDE0OTgwMzk5MTQsICJyZWFsbSI6ICIvIiwgImV4cCI6IDE0OTgwNDM1MTUsICJ0b2tlblR5cGUiOiAiSldUVG9rZW4iLCAiaWF0IjogMTQ5ODAzOTkxNSB9" + } + ] + }, + "ActionSubject": { + "Attribute": [ + { + "AttributeId": "urn:oasis:names:tc:xacml:1.0:subject:subject-id", + "Value": "Z991241" + }, + { + "AttributeId": "no.nav.abac.attributter.subject.felles.subjectType", + "Value": "InternBruker" + }, + { + "AttributeId": "no.nav.abac.attributter.subject.felles.authenticationLevel", + "Value": "4" + } + ] + } + } +} diff --git a/felles/sikkerhet/sikkerhet/src/test/resources/request1.json b/felles/sikkerhet/sikkerhet/src/test/resources/request1.json new file mode 100644 index 000000000..9887ca2dc --- /dev/null +++ b/felles/sikkerhet/sikkerhet/src/test/resources/request1.json @@ -0,0 +1,40 @@ +{ + "Request": { + "Resource": { + "Attribute": [ + { + "AttributeId": "no.nav.abac.attributter.resource.felles.domene", + "Value": "foreldrepenger" + }, + { + "AttributeId": "no.nav.abac.attributter.resource.felles.resource_type", + "Value": "no.nav.abac.attributter.foreldrepenger.fagsak" + }, + { + "AttributeId": "no.nav.abac.attributter.resource.felles.person.fnr", + "Value": "12345678900" + } + ] + }, + "Action": { + "Attribute": [ + { + "AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id", + "Value": "read" + } + ] + }, + "Environment": { + "Attribute": [ + { + "AttributeId": "no.nav.abac.attributter.environment.felles.pep_id", + "Value": "local-app" + }, + { + "AttributeId": "no.nav.abac.attributter.environment.felles.oidc_token_body", + "Value": "eyAiYXRfaGFzaCI6ICIyb2c1RGk5ZW9LeFhOa3VPd0dvVUdBIiwgInN1YiI6ICJzMTQyNDQzIiwgImF1ZGl0VHJhY2tpbmdJZCI6ICI1NTM0ZmQ4ZS03MmE2LTRhMWQtOWU5YS1iZmEzYThhMTljMDUtNjE2NjA2NyIsICJpc3MiOiAiaHR0cHM6Ly9pc3NvLXQuYWRlby5ubzo0NDMvaXNzby9vYXV0aDIiLCAidG9rZW5OYW1lIjogImlkX3Rva2VuIiwgImF1ZCI6ICJPSURDIiwgImNfaGFzaCI6ICJiVWYzcU5CN3dTdi0wVlN0bjhXLURnIiwgIm9yZy5mb3JnZXJvY2sub3BlbmlkY29ubmVjdC5vcHMiOiAiMTdhOGZiMzYtMGI0Ny00YzRkLWE4YWYtZWM4Nzc3Y2MyZmIyIiwgImF6cCI6ICJPSURDIiwgImF1dGhfdGltZSI6IDE0OTgwMzk5MTQsICJyZWFsbSI6ICIvIiwgImV4cCI6IDE0OTgwNDM1MTUsICJ0b2tlblR5cGUiOiAiSldUVG9rZW4iLCAiaWF0IjogMTQ5ODAzOTkxNSB9" + } + ] + } + } +} diff --git a/felles/sikkerhet/sikkerhet/src/test/resources/xacml3response.json b/felles/sikkerhet/sikkerhet/src/test/resources/xacml3response.json index bcf07b2b2..bd7ed00a4 100644 --- a/felles/sikkerhet/sikkerhet/src/test/resources/xacml3response.json +++ b/felles/sikkerhet/sikkerhet/src/test/resources/xacml3response.json @@ -10,15 +10,15 @@ } } }, - "AssociatedAdvice": { + "AssociatedAdvice": [{ "Id": "no.nav.abac.advices.deny.reason", - "AttributeAssignment": { + "AttributeAssignment": [{ "AttributeId": "no.nav.abac.advice.fritekst", "Value": "Ikke tilgang", "Category": "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject", "DataType": "http://www.w3.org/2001/XMLSchema#string" - } - } + }] + }] }, { "Decision": "Deny", @@ -30,15 +30,15 @@ } } }, - "AssociatedAdvice": { + "AssociatedAdvice": [{ "Id": "no.nav.abac.advices.deny.reason", - "AttributeAssignment": { + "AttributeAssignment": [{ "AttributeId": "no.nav.abac.advice.fritekst", "Value": "Ikke tilgang", "Category": "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject", "DataType": "http://www.w3.org/2001/XMLSchema#string" - } - } + }] + }] }, { "Decision": "Deny", @@ -50,15 +50,15 @@ } } }, - "AssociatedAdvice": { + "AssociatedAdvice": [{ "Id": "no.nav.abac.advices.deny.reason", - "AttributeAssignment": { + "AttributeAssignment": [{ "AttributeId": "no.nav.abac.advice.fritekst", "Value": "Ikke tilgang", "Category": "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject", "DataType": "http://www.w3.org/2001/XMLSchema#string" - } - } + }] + }] } ] } diff --git a/felles/sikkerhet/sikkerhet/src/test/resources/xacmlresponse-array.json b/felles/sikkerhet/sikkerhet/src/test/resources/xacmlresponse-array.json index 9975eb2e2..066b235e6 100644 --- a/felles/sikkerhet/sikkerhet/src/test/resources/xacmlresponse-array.json +++ b/felles/sikkerhet/sikkerhet/src/test/resources/xacmlresponse-array.json @@ -1,5 +1,5 @@ { - "Response": { + "Response": [{ "Decision": "Deny", "Status": { "StatusCode": { @@ -12,22 +12,22 @@ "AssociatedAdvice": [ { "Id": "no.nav.abac.advices.deny.reason", - "AttributeAssignment": { + "AttributeAssignment": [{ "AttributeId": "no.nav.abac.advice.fritekst", "Value": "Ikke tilgang", "Category": "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject", "DataType": "http://www.w3.org/2001/XMLSchema#string" - } + }] }, { "Id": "no.nav.abac.advices.deny.reason", - "AttributeAssignment": { + "AttributeAssignment": [{ "AttributeId": "no.nav.abac.advice.fritekst", "Value": "Ikke tilgang", "Category": "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject", "DataType": "http://www.w3.org/2001/XMLSchema#string" - } + }] } ] - } + }] } diff --git a/felles/sikkerhet/sikkerhet/src/test/resources/xacmlresponse.json b/felles/sikkerhet/sikkerhet/src/test/resources/xacmlresponse.json index 84472297a..966921f99 100644 --- a/felles/sikkerhet/sikkerhet/src/test/resources/xacmlresponse.json +++ b/felles/sikkerhet/sikkerhet/src/test/resources/xacmlresponse.json @@ -1,22 +1,20 @@ { - "Response": { + "Response": [ + { "Decision": "Deny", - "Status": { - "StatusCode": { - "Value": "urn:oasis:names:tc:xacml:1.0:status:ok", - "StatusCode": { - "Value": "urn:oasis:names:tc:xacml:1.0:status:ok" - } - } - }, - "AssociatedAdvice": { + "AssociatedAdvice": [ + { "Id": "no.nav.abac.advices.deny.reason", - "AttributeAssignment": { + "AttributeAssignment": [ + { "AttributeId": "no.nav.abac.advice.fritekst", "Value": "Ikke tilgang", "Category": "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject", "DataType": "http://www.w3.org/2001/XMLSchema#string" } + ] } + ] } + ] } diff --git a/felles/sikkerhet/sikkerhet/src/test/resources/xacmlresponse_1deny_1permit.json b/felles/sikkerhet/sikkerhet/src/test/resources/xacmlresponse_1deny_1permit.json index deb00cc2b..68d917c3d 100644 --- a/felles/sikkerhet/sikkerhet/src/test/resources/xacmlresponse_1deny_1permit.json +++ b/felles/sikkerhet/sikkerhet/src/test/resources/xacmlresponse_1deny_1permit.json @@ -10,7 +10,7 @@ } } }, - "AssociatedAdvice": { + "AssociatedAdvice": [{ "Id": "no.nav.abac.advices.reason.deny_reason", "AttributeAssignment": [ { @@ -32,7 +32,7 @@ "DataType": "http://www.w3.org/2001/XMLSchema#string" } ] - } + }] }, { "Decision": "Permit", @@ -44,29 +44,17 @@ } } }, - "AssociatedAdvice": { + "AssociatedAdvice": [{ "Id": "no.nav.abac.advices.action.sporbarhetslogg", "AttributeAssignment": [ { - "AttributeId": "no.nav.abac.attributter.adviceorobligation.deny_policy", - "Value": "fp1_behandle_kode6", + "AttributeId": "no.nav.abac.attributter.adviceorobligation.fritekst", + "Value": "alt ok", "Category": "urn:oasis:names:tc:xacml:3.0:attribute-category:environment", "DataType": "http://www.w3.org/2001/XMLSchema#string" - }, - { - "AttributeId": "urn:oasis:names:tc:xacml:1.0:subject:subject-id", - "Value": "Z991113", - "Category": "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject", - "DataType": "http://www.w3.org/2001/XMLSchema#string" - }, - { - "AttributeId": "no.nav.abac.attributter.resource.felles.person.fnr", - "Value": "07078515206", - "Category": "urn:oasis:names:tc:xacml:3.0:attribute-category:resource", - "DataType": "http://www.w3.org/2001/XMLSchema#string" } ] - } + }] } ] -} \ No newline at end of file +} diff --git a/felles/sikkerhet/sikkerhet/src/test/resources/xacmlresponse_multiple_obligation.json b/felles/sikkerhet/sikkerhet/src/test/resources/xacmlresponse_multiple_obligation.json index 3fb5600b7..1e33d0220 100644 --- a/felles/sikkerhet/sikkerhet/src/test/resources/xacmlresponse_multiple_obligation.json +++ b/felles/sikkerhet/sikkerhet/src/test/resources/xacmlresponse_multiple_obligation.json @@ -1,5 +1,6 @@ { - "Response": { + "Response": [ + { "Decision": "Permit", "Status": { "StatusCode": { @@ -12,22 +13,25 @@ "Obligations": [ { "Id": "no.nav.abac.obligation.action.log", - "AttributeAssignment": { - "AttributeId": "no.nav.abac.advice.fritekst", - "Value": "Mangler konsument (consumerId)", - "Category": "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject", - "DataType": "http://www.w3.org/2001/XMLSchema#string" - } + "AttributeAssignment": [ + { + "AttributeId": "no.nav.abac.advice.fritekst", + "Value": "Mangler konsument (consumerId)", + "Category": "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject", + "DataType": "http://www.w3.org/2001/XMLSchema#string" + } + ] }, { "Id": "no.nav.abac.obligation.action.auditlog", - "AttributeAssignment": { + "AttributeAssignment": [{ "AttributeId": "no.nav.abac.advice.fritekst", "Value": "Mangler autentiseringsNivaa (authenticationLevel)", "Category": "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject", "DataType": "http://www.w3.org/2001/XMLSchema#string" - } + }] } ] - } + } + ] } diff --git a/felles/sikkerhet/testutilities/pom.xml b/felles/sikkerhet/testutilities/pom.xml index f41130eab..d310162d6 100644 --- a/felles/sikkerhet/testutilities/pom.xml +++ b/felles/sikkerhet/testutilities/pom.xml @@ -18,5 +18,5 @@ no.nav.foreldrepenger.felles.sikkerhet felles-sikkerhet - + diff --git a/felles/sikkerhet/testutilities/src/main/java/no/nav/vedtak/felles/testutilities/sikkerhet/pdp/DummyRequestBuilder.java b/felles/sikkerhet/testutilities/src/main/java/no/nav/vedtak/felles/testutilities/sikkerhet/pdp/DummyRequestBuilder.java deleted file mode 100644 index 4f79a380c..000000000 --- a/felles/sikkerhet/testutilities/src/main/java/no/nav/vedtak/felles/testutilities/sikkerhet/pdp/DummyRequestBuilder.java +++ /dev/null @@ -1,19 +0,0 @@ -package no.nav.vedtak.felles.testutilities.sikkerhet.pdp; - -import no.nav.vedtak.sikkerhet.abac.AbacAttributtSamling; -import no.nav.vedtak.sikkerhet.abac.PdpRequest; -import no.nav.vedtak.sikkerhet.abac.PdpRequestBuilder; - -import javax.annotation.Priority; -import javax.enterprise.context.Dependent; -import javax.enterprise.inject.Alternative; - -@Dependent -@Alternative -@Priority(1) -public class DummyRequestBuilder implements PdpRequestBuilder { - @Override - public PdpRequest lagPdpRequest(AbacAttributtSamling attributter) { - return null; - } -} diff --git a/felles/sikkerhet/testutilities/src/main/java/no/nav/vedtak/felles/testutilities/sikkerhet/pdp/DummyXacmlRequestBuilderTjeneste.java b/felles/sikkerhet/testutilities/src/main/java/no/nav/vedtak/felles/testutilities/sikkerhet/pdp/DummyXacmlRequestBuilderTjeneste.java deleted file mode 100644 index dae0f8a92..000000000 --- a/felles/sikkerhet/testutilities/src/main/java/no/nav/vedtak/felles/testutilities/sikkerhet/pdp/DummyXacmlRequestBuilderTjeneste.java +++ /dev/null @@ -1,20 +0,0 @@ -package no.nav.vedtak.felles.testutilities.sikkerhet.pdp; - -import javax.annotation.Priority; -import javax.enterprise.context.Dependent; -import javax.enterprise.inject.Alternative; - -import no.nav.vedtak.sikkerhet.abac.PdpRequest; -import no.nav.vedtak.sikkerhet.pdp.XacmlRequestBuilderTjeneste; -import no.nav.vedtak.sikkerhet.pdp.xacml.XacmlRequestBuilder; - -@Dependent -@Alternative -@Priority(1) -public class DummyXacmlRequestBuilderTjeneste implements XacmlRequestBuilderTjeneste { - - @Override - public XacmlRequestBuilder lagXacmlRequestBuilder(PdpRequest pdpRequest) { - return new XacmlRequestBuilder(); - } -} diff --git a/felles/util/pom.xml b/felles/util/pom.xml index 6e971198d..d32736e43 100644 --- a/felles/util/pom.xml +++ b/felles/util/pom.xml @@ -63,14 +63,7 @@ - - com.fasterxml.jackson.datatype - jackson-datatype-jdk8 - - - com.fasterxml.jackson.datatype - jackson-datatype-jsr310 - + diff --git a/integrasjon/arbeidsfordeling-klient/src/test/java/no/nav/vedtak/felles/integrasjon/arbeidsfordeling/rest/ArbeidsfordelingRestTest.java b/integrasjon/arbeidsfordeling-klient/src/test/java/no/nav/vedtak/felles/integrasjon/arbeidsfordeling/rest/ArbeidsfordelingRestTest.java index 29e973002..590848ce6 100644 --- a/integrasjon/arbeidsfordeling-klient/src/test/java/no/nav/vedtak/felles/integrasjon/arbeidsfordeling/rest/ArbeidsfordelingRestTest.java +++ b/integrasjon/arbeidsfordeling-klient/src/test/java/no/nav/vedtak/felles/integrasjon/arbeidsfordeling/rest/ArbeidsfordelingRestTest.java @@ -1,6 +1,6 @@ package no.nav.vedtak.felles.integrasjon.arbeidsfordeling.rest; -import static no.nav.vedtak.felles.integrasjon.rest.DefaultJsonMapper.MAPPER; +import static no.nav.foreldrepenger.felles.integrasjon.rest.DefaultJsonMapper.MAPPER; import static org.assertj.core.api.Assertions.assertThat; import org.junit.jupiter.api.Test; diff --git a/integrasjon/ereg-klient/src/test/java/no/nav/vedtak/felles/integrasjon/organisasjon/EregRestTest.java b/integrasjon/ereg-klient/src/test/java/no/nav/vedtak/felles/integrasjon/organisasjon/EregRestTest.java index d0e0c1ab5..f0b551527 100644 --- a/integrasjon/ereg-klient/src/test/java/no/nav/vedtak/felles/integrasjon/organisasjon/EregRestTest.java +++ b/integrasjon/ereg-klient/src/test/java/no/nav/vedtak/felles/integrasjon/organisasjon/EregRestTest.java @@ -1,6 +1,6 @@ package no.nav.vedtak.felles.integrasjon.organisasjon; -import static no.nav.vedtak.felles.integrasjon.rest.DefaultJsonMapper.MAPPER; +import static no.nav.foreldrepenger.felles.integrasjon.rest.DefaultJsonMapper.MAPPER; import static org.assertj.core.api.Assertions.assertThat; import java.io.IOException; diff --git a/integrasjon/infotrygd-saker-klient/src/test/java/no/nav/vedtak/felles/integrasjon/infotrygd/saker/v1/SerializationTest.java b/integrasjon/infotrygd-saker-klient/src/test/java/no/nav/vedtak/felles/integrasjon/infotrygd/saker/v1/SerializationTest.java index 9bc91ab96..e59bc23f1 100644 --- a/integrasjon/infotrygd-saker-klient/src/test/java/no/nav/vedtak/felles/integrasjon/infotrygd/saker/v1/SerializationTest.java +++ b/integrasjon/infotrygd-saker-klient/src/test/java/no/nav/vedtak/felles/integrasjon/infotrygd/saker/v1/SerializationTest.java @@ -3,7 +3,7 @@ import static java.nio.charset.StandardCharsets.UTF_8; import static java.nio.file.Files.readAllBytes; import static java.util.stream.Collectors.toList; -import static no.nav.vedtak.felles.integrasjon.rest.DefaultJsonMapper.MAPPER; +import static no.nav.foreldrepenger.felles.integrasjon.rest.DefaultJsonMapper.MAPPER; import static org.junit.jupiter.api.Assertions.assertEquals; import java.io.IOException; diff --git a/integrasjon/medl-klient/src/test/java/no/nav/vedtak/felles/integrasjon/medl2/MedlemskapsunntakTest.java b/integrasjon/medl-klient/src/test/java/no/nav/vedtak/felles/integrasjon/medl2/MedlemskapsunntakTest.java index fc910634f..e0a9b2637 100644 --- a/integrasjon/medl-klient/src/test/java/no/nav/vedtak/felles/integrasjon/medl2/MedlemskapsunntakTest.java +++ b/integrasjon/medl-klient/src/test/java/no/nav/vedtak/felles/integrasjon/medl2/MedlemskapsunntakTest.java @@ -1,6 +1,6 @@ package no.nav.vedtak.felles.integrasjon.medl2; -import static no.nav.vedtak.felles.integrasjon.rest.DefaultJsonMapper.MAPPER; +import static no.nav.foreldrepenger.felles.integrasjon.rest.DefaultJsonMapper.MAPPER; import static org.assertj.core.api.Assertions.assertThat; import java.io.IOException; diff --git a/integrasjon/pdl-klient/src/main/java/no/nav/vedtak/felles/integrasjon/pdl/PdlDefaultErrorHandler.java b/integrasjon/pdl-klient/src/main/java/no/nav/vedtak/felles/integrasjon/pdl/PdlDefaultErrorHandler.java index 881e4938b..9f30c0b43 100644 --- a/integrasjon/pdl-klient/src/main/java/no/nav/vedtak/felles/integrasjon/pdl/PdlDefaultErrorHandler.java +++ b/integrasjon/pdl-klient/src/main/java/no/nav/vedtak/felles/integrasjon/pdl/PdlDefaultErrorHandler.java @@ -3,7 +3,7 @@ import static no.nav.vedtak.felles.integrasjon.pdl.Pdl.PDL_ERROR_RESPONSE; import static no.nav.vedtak.felles.integrasjon.pdl.Pdl.PDL_INTERNAL; import static no.nav.vedtak.felles.integrasjon.pdl.Pdl.PDL_KLIENT_NOT_FOUND_KODE; -import static no.nav.vedtak.felles.integrasjon.rest.DefaultJsonMapper.MAPPER; +import static no.nav.foreldrepenger.felles.integrasjon.rest.DefaultJsonMapper.MAPPER; import static org.apache.http.HttpStatus.SC_BAD_REQUEST; import static org.apache.http.HttpStatus.SC_FORBIDDEN; import static org.apache.http.HttpStatus.SC_INTERNAL_SERVER_ERROR; diff --git a/integrasjon/pdl-klient/src/test/java/no/nav/vedtak/felles/integrasjon/pdl/TestJerseyPdlClient.java b/integrasjon/pdl-klient/src/test/java/no/nav/vedtak/felles/integrasjon/pdl/TestJerseyPdlClient.java index 3f1a0c88e..e80c1b7b6 100644 --- a/integrasjon/pdl-klient/src/test/java/no/nav/vedtak/felles/integrasjon/pdl/TestJerseyPdlClient.java +++ b/integrasjon/pdl-klient/src/test/java/no/nav/vedtak/felles/integrasjon/pdl/TestJerseyPdlClient.java @@ -10,7 +10,7 @@ import static java.nio.charset.StandardCharsets.UTF_8; import static javax.ws.rs.core.MediaType.APPLICATION_JSON; import static no.nav.vedtak.felles.integrasjon.pdl.PdlDefaultErrorHandler.FORBUDT; -import static no.nav.vedtak.felles.integrasjon.rest.DefaultJsonMapper.MAPPER; +import static no.nav.foreldrepenger.felles.integrasjon.rest.DefaultJsonMapper.MAPPER; import static no.nav.vedtak.felles.integrasjon.rest.jersey.AbstractJerseyRestClient.DEFAULT_NAV_CALLID; import static no.nav.vedtak.felles.integrasjon.rest.jersey.AbstractJerseyRestClient.DEFAULT_NAV_CONSUMERID; import static no.nav.vedtak.felles.integrasjon.rest.jersey.AbstractJerseyRestClient.NAV_CONSUMER_TOKEN_HEADER; @@ -238,4 +238,4 @@ private String load(StsAccessTokenJerseyClient sts) { return sts.accessToken(); } -} \ No newline at end of file +} diff --git a/integrasjon/rest-klient/pom.xml b/integrasjon/rest-klient/pom.xml index d1164eeeb..25b38a5b1 100644 --- a/integrasjon/rest-klient/pom.xml +++ b/integrasjon/rest-klient/pom.xml @@ -54,6 +54,10 @@ no.nav.foreldrepenger.felles.sikkerhet felles-sikkerhet + + no.nav.foreldrepenger.felles + felles-mapper + org.apache.httpcomponents httpclient diff --git a/integrasjon/rest-klient/src/main/java/no/nav/vedtak/felles/integrasjon/rest/AbstractOidcRestClient.java b/integrasjon/rest-klient/src/main/java/no/nav/vedtak/felles/integrasjon/rest/AbstractOidcRestClient.java index a7a1e282b..342b5917a 100644 --- a/integrasjon/rest-klient/src/main/java/no/nav/vedtak/felles/integrasjon/rest/AbstractOidcRestClient.java +++ b/integrasjon/rest-klient/src/main/java/no/nav/vedtak/felles/integrasjon/rest/AbstractOidcRestClient.java @@ -29,6 +29,7 @@ import com.fasterxml.jackson.core.JsonProcessingException; import com.fasterxml.jackson.databind.ObjectMapper; +import no.nav.foreldrepenger.felles.integrasjon.rest.DefaultJsonMapper; import no.nav.vedtak.exception.TekniskException; import no.nav.vedtak.felles.integrasjon.rest.OidcRestClientResponseHandler.ByteArrayResponseHandler; import no.nav.vedtak.felles.integrasjon.rest.OidcRestClientResponseHandler.StringResponseHandler; diff --git a/integrasjon/rest-klient/src/main/java/no/nav/vedtak/felles/integrasjon/rest/OAuth2AccessTokenClient.java b/integrasjon/rest-klient/src/main/java/no/nav/vedtak/felles/integrasjon/rest/OAuth2AccessTokenClient.java index d4ae80f21..22552dfc0 100644 --- a/integrasjon/rest-klient/src/main/java/no/nav/vedtak/felles/integrasjon/rest/OAuth2AccessTokenClient.java +++ b/integrasjon/rest-klient/src/main/java/no/nav/vedtak/felles/integrasjon/rest/OAuth2AccessTokenClient.java @@ -18,6 +18,7 @@ import com.fasterxml.jackson.databind.ObjectMapper; import com.fasterxml.jackson.databind.node.ObjectNode; +import no.nav.foreldrepenger.felles.integrasjon.rest.DefaultJsonMapper; import no.nav.vedtak.felles.integrasjon.rest.jersey.OAuth2AccessTokenJerseyClient; /** diff --git a/integrasjon/rest-klient/src/main/java/no/nav/vedtak/felles/integrasjon/rest/StsAccessTokenClient.java b/integrasjon/rest-klient/src/main/java/no/nav/vedtak/felles/integrasjon/rest/StsAccessTokenClient.java index 5d0775363..af9e557db 100644 --- a/integrasjon/rest-klient/src/main/java/no/nav/vedtak/felles/integrasjon/rest/StsAccessTokenClient.java +++ b/integrasjon/rest-klient/src/main/java/no/nav/vedtak/felles/integrasjon/rest/StsAccessTokenClient.java @@ -13,6 +13,7 @@ import com.fasterxml.jackson.core.JsonProcessingException; import com.fasterxml.jackson.databind.ObjectMapper; +import no.nav.foreldrepenger.felles.integrasjon.rest.DefaultJsonMapper; import no.nav.vedtak.felles.integrasjon.rest.jersey.StsAccessTokenClientRequestFilter; import no.nav.vedtak.log.mdc.MDCOperations; diff --git a/integrasjon/rest-klient/src/main/java/no/nav/vedtak/felles/integrasjon/rest/jersey/AbstractJerseyRestClient.java b/integrasjon/rest-klient/src/main/java/no/nav/vedtak/felles/integrasjon/rest/jersey/AbstractJerseyRestClient.java index 7a644c688..58e626a15 100644 --- a/integrasjon/rest-klient/src/main/java/no/nav/vedtak/felles/integrasjon/rest/jersey/AbstractJerseyRestClient.java +++ b/integrasjon/rest-klient/src/main/java/no/nav/vedtak/felles/integrasjon/rest/jersey/AbstractJerseyRestClient.java @@ -1,8 +1,8 @@ package no.nav.vedtak.felles.integrasjon.rest.jersey; import static java.nio.charset.StandardCharsets.UTF_8; -import static no.nav.vedtak.felles.integrasjon.rest.DefaultJsonMapper.MAPPER; -import static no.nav.vedtak.felles.integrasjon.rest.DefaultJsonMapper.toJson; +import static no.nav.foreldrepenger.felles.integrasjon.rest.DefaultJsonMapper.MAPPER; +import static no.nav.foreldrepenger.felles.integrasjon.rest.DefaultJsonMapper.toJson; import static no.nav.vedtak.felles.integrasjon.rest.RestClientSupportProdusent.connectionManager; import static no.nav.vedtak.felles.integrasjon.rest.RestClientSupportProdusent.createKeepAliveStrategy; import static no.nav.vedtak.felles.integrasjon.rest.RestClientSupportProdusent.defaultHeaders; diff --git a/integrasjon/saf-klient/src/main/java/no/nav/vedtak/felles/integrasjon/saf/SafTjeneste.java b/integrasjon/saf-klient/src/main/java/no/nav/vedtak/felles/integrasjon/saf/SafTjeneste.java index 12e556364..5d6b38218 100644 --- a/integrasjon/saf-klient/src/main/java/no/nav/vedtak/felles/integrasjon/saf/SafTjeneste.java +++ b/integrasjon/saf-klient/src/main/java/no/nav/vedtak/felles/integrasjon/saf/SafTjeneste.java @@ -1,6 +1,6 @@ package no.nav.vedtak.felles.integrasjon.saf; -import static no.nav.vedtak.felles.integrasjon.rest.DefaultJsonMapper.MAPPER; +import static no.nav.foreldrepenger.felles.integrasjon.rest.DefaultJsonMapper.MAPPER; import java.io.IOException; import java.net.URI; diff --git a/integrasjon/sak-klient/src/test/java/no/nav/vedtak/felles/integrasjon/sak/v1/TestJerseySakClient.java b/integrasjon/sak-klient/src/test/java/no/nav/vedtak/felles/integrasjon/sak/v1/TestJerseySakClient.java index a5bad8a99..a42f56051 100644 --- a/integrasjon/sak-klient/src/test/java/no/nav/vedtak/felles/integrasjon/sak/v1/TestJerseySakClient.java +++ b/integrasjon/sak-klient/src/test/java/no/nav/vedtak/felles/integrasjon/sak/v1/TestJerseySakClient.java @@ -9,7 +9,7 @@ import static com.github.tomakehurst.wiremock.client.WireMock.stubFor; import static com.github.tomakehurst.wiremock.client.WireMock.urlPathEqualTo; import static javax.ws.rs.core.MediaType.APPLICATION_JSON; -import static no.nav.vedtak.felles.integrasjon.rest.DefaultJsonMapper.MAPPER; +import static no.nav.foreldrepenger.felles.integrasjon.rest.DefaultJsonMapper.MAPPER; import static no.nav.vedtak.felles.integrasjon.rest.jersey.AbstractJerseyRestClient.DEFAULT_NAV_CALLID; import static no.nav.vedtak.felles.integrasjon.rest.jersey.AbstractJerseyRestClient.OIDC_AUTH_HEADER_PREFIX; import static no.nav.vedtak.felles.integrasjon.sak.v1.JerseySakRestKlient.FAGSAK_NR; @@ -128,4 +128,4 @@ private static SakJson sak() { private static List saker() { return List.of(sak()); } -} \ No newline at end of file +} diff --git a/pom.xml b/pom.xml index f2e850319..a5ac6c313 100644 --- a/pom.xml +++ b/pom.xml @@ -28,7 +28,7 @@ 3.19.0 1.2020.01.27-14.53-7065a2d75840 -Xdoclint:none - -Dfile.encoding=UTF-8 + -Dfile.encoding=UTF-8 --illegal-access=permit @@ -174,6 +174,7 @@ ${java.version} UTF-8 ${java.version} + false @@ -200,6 +201,9 @@ org.apache.maven.plugins maven-failsafe-plugin 2.22.2 + + ${argLine} + org.codehaus.mojo