diff --git a/felles/oidc/src/main/java/no/nav/vedtak/sikkerhet/oidc/validator/ConsumerMetric.java b/felles/oidc/src/main/java/no/nav/vedtak/sikkerhet/oidc/validator/ConsumerMetric.java new file mode 100644 index 000000000..48414419b --- /dev/null +++ b/felles/oidc/src/main/java/no/nav/vedtak/sikkerhet/oidc/validator/ConsumerMetric.java @@ -0,0 +1,36 @@ +package no.nav.vedtak.sikkerhet.oidc.validator; + +import static no.nav.vedtak.log.metrics.MetricsUtil.REGISTRY; + +import io.micrometer.core.instrument.Counter; +import no.nav.vedtak.sikkerhet.kontekst.IdentType; +import no.nav.vedtak.sikkerhet.oidc.config.OpenIDProvider; + +public class ConsumerMetric { + + private static final String FORELDREPENGER_KONSUMENTER = "foreldrepenger.konsumenter"; + + private ConsumerMetric() { + } + + public static void registrer(String klientNavn, String konsument, OpenIDProvider tokenType, IdentType identType, String acrLevel) { + counter(klientNavn, konsument, tokenType, identType, acrLevel).increment(); + } + public static void registrer(String klientNavn, String konsument, OpenIDProvider tokenType, IdentType identType) { + counter(klientNavn, konsument, tokenType, identType, null).increment(); + } + + private static Counter counter(String klientNavn, String konsument, OpenIDProvider tokenType, IdentType identType, String acrLevel) { + var counter = Counter.builder(FORELDREPENGER_KONSUMENTER) + .tag("klient", klientNavn) + .tag("tokenType", tokenType.name()) + .tag("identYype", identType.name()) + .tag("konsument", konsument) + .description("Konsument og token brukt."); + + if (acrLevel != null) { + counter.tag("acrLevel", acrLevel); + } + return counter.register(REGISTRY); + } +} diff --git a/felles/oidc/src/main/java/no/nav/vedtak/sikkerhet/oidc/validator/OidcTokenValidator.java b/felles/oidc/src/main/java/no/nav/vedtak/sikkerhet/oidc/validator/OidcTokenValidator.java index 676ee1695..72240ca51 100644 --- a/felles/oidc/src/main/java/no/nav/vedtak/sikkerhet/oidc/validator/OidcTokenValidator.java +++ b/felles/oidc/src/main/java/no/nav/vedtak/sikkerhet/oidc/validator/OidcTokenValidator.java @@ -22,6 +22,8 @@ import no.nav.vedtak.sikkerhet.oidc.jwks.JwtHeader; import no.nav.vedtak.sikkerhet.oidc.token.TokenString; +import static no.nav.vedtak.sikkerhet.oidc.validator.ConsumerMetric.registrer; + public class OidcTokenValidator { private static final Set AUTHENTICATION_LEVEL_ID_PORTEN = Set.of("Level4", "idporten-loa-high"); // Level4 er gammel og utgår ila 2023 @@ -35,7 +37,6 @@ public class OidcTokenValidator { private static final String IDTYP = "idtyp"; private static final String APP = "app"; - private final OpenIDProvider provider; private final String expectedIssuer; private final String clientName; @@ -126,7 +127,9 @@ public OidcTokenValidatorResult validate(TokenString tokenHolder) { } else if (OpenIDProvider.TOKENX.equals(provider)) { return validateTokenX(claims, subject); } else { - return OidcTokenValidatorResult.valid(subject, IdentType.utledIdentType(subject), JwtUtil.getExpirationTimeRaw(claims)); + var identType = IdentType.utledIdentType(subject); + registrer(clientName, subject, provider, identType); + return OidcTokenValidatorResult.valid(subject, identType, JwtUtil.getExpirationTimeRaw(claims)); } } catch (InvalidJwtException e) { return OidcTokenValidatorResult.invalid(e.toString()); @@ -148,6 +151,7 @@ private String validateClaims(JwtClaims claims) { private OidcTokenValidatorResult validateAzure(JwtClaims claims, String subject) { if (isAzureClientCredentials(claims, subject)) { var brukSubject = Optional.ofNullable(JwtUtil.getStringClaim(claims, AzureProperty.AZP_NAME)).orElse(subject); + registrer(clientName, brukSubject, OpenIDProvider.AZUREAD, IdentType.Systemressurs); // Ta med bakoverkompatibelt navn ettersom azp_name er ganske langt (tabeller / opprettet_av) var sisteKolon = brukSubject.lastIndexOf(':'); if (sisteKolon >= 0) { @@ -161,6 +165,7 @@ private OidcTokenValidatorResult validateAzure(JwtClaims claims, String subject) } } else { var brukSubject = Optional.ofNullable(JwtUtil.getStringClaim(claims, AzureProperty.NAV_IDENT)).orElse(subject); + registrer(clientName, "Saksbehandler", OpenIDProvider.AZUREAD, IdentType.InternBruker); var grupper = Optional.ofNullable(JwtUtil.getStringListClaim(claims, AzureProperty.GRUPPER)) .map(arr -> GroupsProvider.instance().getGroupsFrom(arr)) .orElse(Set.of()); @@ -175,13 +180,15 @@ private boolean isAzureClientCredentials(JwtClaims claims, String subject) { } private OidcTokenValidatorResult validateTokenX(JwtClaims claims, String subject) { - var level4 = Optional.ofNullable(JwtUtil.getStringClaim(claims, ACR)) + var acrClaim = JwtUtil.getStringClaim(claims, ACR); + var level4 = Optional.ofNullable(acrClaim) .filter(AUTHENTICATION_LEVEL_ID_PORTEN::contains) .isPresent(); if (!level4) { return OidcTokenValidatorResult.invalid("TokenX token ikke på nivå 4"); } var brukSubject = Optional.ofNullable(JwtUtil.getStringClaim(claims, PID)).orElse(subject); + registrer(clientName, "Borger", OpenIDProvider.TOKENX, IdentType.EksternBruker, acrClaim); return OidcTokenValidatorResult.valid(brukSubject, IdentType.EksternBruker, JwtUtil.getExpirationTimeRaw(claims)); }