Har lagt inn maskinportenkonfig med Pkey

navikt · Dec 5, 2024 · b8fc8e8 · b8fc8e8
1 parent ca09f50
commit b8fc8e8
Showing 1 changed file with 78 additions and 7 deletions.
diff --git a/src/main/kotlin/MaskinportenClientConfig.kt b/src/main/kotlin/MaskinportenClientConfig.kt
@@ -7,17 +7,88 @@ import com.nimbusds.jose.crypto.RSASSASigner
 import com.nimbusds.jose.jwk.RSAKey
 import com.nimbusds.jwt.JWTClaimsSet
 import com.nimbusds.jwt.SignedJWT
+import java.security.KeyFactory
+import java.security.PrivateKey
+import java.security.spec.PKCS8EncodedKeySpec
 import java.time.Instant
+import java.util.Base64
 import java.util.Date
 import java.util.UUID
 
-data class MaskinportenClientConfig(
-    val scope: String,
-    val clientId: String,
-    val clientJwk: String,
-    val issuer: String,
+interface MaskinportenClientConfig {
+    val scope: String
+    val clientId: String
+    val clientJwk: String
+    val issuer: String
     val endpoint: String
-) {
+    fun getJwtAssertion(): String
+}
+
+class MaskinportenClientConfigPkey(
+    val kid: String,
+    val privateKey: String,
+    override val issuer: String,
+    val consumerOrgNr: String,
+    override val scope: String = LPS_API_SCOPE,
+    override val endpoint: String = "https://test.maskinporten.no/token",
+    override val clientId: String,
+    override val clientJwk: String,
+) : MaskinportenClientConfig {
+    companion object {
+        const val LPS_API_SCOPE = "nav:inntektsmelding/lps.write"
+    }
+
+    private fun loadPrivateKey(key: String): PrivateKey {
+        val keyText =
+            key
+                .replace("-----BEGIN PRIVATE KEY-----", "")
+                .replace("-----END PRIVATE KEY-----", "")
+                .replace("\n", "")
+                .replace("\\s".toRegex(), "")
+
+        val encoded = Base64.getDecoder().decode(keyText)
+        return KeyFactory
+            .getInstance("RSA")
+            .generatePrivate(PKCS8EncodedKeySpec(encoded))
+    }
+
+    override fun getJwtAssertion(): String {
+        val currentTimestamp = System.currentTimeMillis() / 1000
+
+        val header =
+            JWSHeader
+                .Builder(JWSAlgorithm.RS256)
+                .keyID(kid)
+                .type(JOSEObjectType.JWT)
+                .build()
+
+        val claims =
+            JWTClaimsSet
+                .Builder()
+                .issuer(issuer)
+                .audience(issuer)
+                .issueTime(Date(currentTimestamp * 1000))
+                .expirationTime(Date((currentTimestamp + 60) * 1000))
+                .claim("scope", scope)
+                .claim("consumer_org", consumerOrgNr)
+                .jwtID(UUID.randomUUID().toString())
+                .build()
+
+        val signer = RSASSASigner(loadPrivateKey(privateKey))
+        val signedJWT = SignedJWT(header, claims)
+        signedJWT.sign(signer)
+
+        return signedJWT.serialize()
+    }
+}
+
+class MaskinportenSimpleAssertion(
+    override val scope: String,
+    override val clientId: String,
+    override val clientJwk: String,
+    override val issuer: String,
+    override val endpoint: String
+) : MaskinportenClientConfig {
 
     private val rsaKey: RSAKey by lazy {
         try {
@@ -50,7 +121,7 @@ data class MaskinportenClientConfig(
             .build()
     }
 
-    fun getJwtAssertion(): String {
+    override fun getJwtAssertion(): String {
         return SignedJWT(header, claims()).apply { sign(signer) }.serialize()
     }
 }