From e0ff39de15cf857190f81e7ebeff3de25d6ba9f3 Mon Sep 17 00:00:00 2001
From: Ingleiv Johansen <ingleiv.halvard.johansen@nav.no>
Date: Wed, 17 Jan 2024 14:49:38 +0100
Subject: [PATCH] Bump nav-token-support 3.2.0 -> 4.1.0 (#183)

* Bumped nav-token-support 3.2.0 -> 4.1.0

* Bumped etterlatte-libs
---
 .../auth/ClientCredentialAuthProvider.kt      | 53 ++++++++++---------
 .../kotlin/auth/DefaultOauth2HttpClient.kt    |  6 +--
 gradle/libs.versions.toml                     |  8 +--
 3 files changed, 36 insertions(+), 31 deletions(-)

diff --git a/apps/etterlatte-proxy/src/main/kotlin/auth/ClientCredentialAuthProvider.kt b/apps/etterlatte-proxy/src/main/kotlin/auth/ClientCredentialAuthProvider.kt
index 06098566..29b3dcb7 100644
--- a/apps/etterlatte-proxy/src/main/kotlin/auth/ClientCredentialAuthProvider.kt
+++ b/apps/etterlatte-proxy/src/main/kotlin/auth/ClientCredentialAuthProvider.kt
@@ -1,5 +1,6 @@
 package no.nav.etterlatte.auth
 
+import com.nimbusds.oauth2.sdk.GrantType
 import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod
 import io.ktor.client.plugins.auth.Auth
 import io.ktor.client.plugins.auth.AuthProvider
@@ -9,9 +10,10 @@ import io.ktor.http.auth.HttpAuthHeader
 import no.nav.security.token.support.client.core.ClientAuthenticationProperties
 import no.nav.security.token.support.client.core.ClientProperties
 import no.nav.security.token.support.client.core.OAuth2CacheFactory
-import no.nav.security.token.support.client.core.OAuth2GrantType
 import no.nav.security.token.support.client.core.oauth2.ClientCredentialsTokenClient
 import no.nav.security.token.support.client.core.oauth2.OAuth2AccessTokenService
+import no.nav.security.token.support.client.core.oauth2.OnBehalfOfTokenClient
+import no.nav.security.token.support.client.core.oauth2.TokenExchangeClient
 import java.net.URI
 import java.time.Duration
 
@@ -30,19 +32,22 @@ class ClientCredentialAuthProvider(config: Map<String, String>) : AuthProvider {
     override val sendWithoutRequest: Boolean = true
 
     private val clientPropertiesConfig = ClientProperties(
-        null, // URI(conf["token_endpoint_url"]!!),
-        config["AZURE_APP_WELL_KNOWN_URL"]?.let { URI(it) },
-        OAuth2GrantType("client_credentials"),
-        config["AZURE_APP_OUTBOUND_SCOPE"]?.split(",") ?: emptyList(),
-        ClientAuthenticationProperties(
-            config["AZURE_APP_CLIENT_ID"],
-            ClientAuthenticationMethod.PRIVATE_KEY_JWT,
-            null,
-            config["AZURE_APP_JWK"]
-        ),
-        null, // conf["resource_url"]?.let { URI(it) },
-        null
+        tokenEndpointUrl = null, // URI(conf["token_endpoint_url"]!!),
+        wellKnownUrl = config["AZURE_APP_WELL_KNOWN_URL"]?.let { URI(it) },
+        grantType = GrantType.CLIENT_CREDENTIALS,
+        scope = config["AZURE_APP_OUTBOUND_SCOPE"]?.split(",") ?: emptyList(),
+        authentication = ClientAuthenticationProperties.builder(
+            clientId = config.getOrThrow("AZURE_APP_CLIENT_ID"),
+            clientAuthMethod = ClientAuthenticationMethod.PRIVATE_KEY_JWT,
+        ).clientJwk(config.getOrThrow("AZURE_APP_JWK"))
+            .build(),
+        resourceUrl = null, // conf["resource_url"]?.let { URI(it) },
+        tokenExchange = null
     )
+    private fun Map<String, String>.getOrThrow(key: String) =
+        this[key]
+            ?: throw IllegalArgumentException("Missing configuration property '$key'")
+
     private val httpClient = DefaultOAuth2HttpClient()
     private val accessTokenService = setupOAuth2AccessTokenService(httpClient = httpClient)
 
@@ -51,7 +56,7 @@ class ClientCredentialAuthProvider(config: Map<String, String>) : AuthProvider {
     }
 
     override suspend fun addRequestHeaders(request: HttpRequestBuilder, authHeader: HttpAuthHeader?) {
-        accessTokenService.getAccessToken(clientPropertiesConfig).accessToken.also {
+        accessTokenService.getAccessToken(clientPropertiesConfig)?.accessToken.also {
             request.headers[HttpHeaders.Authorization] = "Bearer $it"
         }
     }
@@ -59,14 +64,14 @@ class ClientCredentialAuthProvider(config: Map<String, String>) : AuthProvider {
 
 internal fun setupOAuth2AccessTokenService(httpClient: DefaultOAuth2HttpClient): OAuth2AccessTokenService {
     return OAuth2AccessTokenService(
-        null,
-        null,
-        ClientCredentialsTokenClient(httpClient),
-        null
-    ).also {
-        it.clientCredentialsGrantCache = OAuth2CacheFactory.accessTokenResponseCache(
-            10,
-            Duration.ofMinutes(50L).toSeconds()
-        )
-    }
+        tokenResolver = { throw IllegalArgumentException("Skal ikke kalle denne") },
+        onBehalfOfTokenClient = OnBehalfOfTokenClient(httpClient),
+        clientCredentialsTokenClient = ClientCredentialsTokenClient(httpClient),
+        clientCredentialsGrantCache =
+        OAuth2CacheFactory.accessTokenResponseCache(
+            maximumSize = 10,
+            skewInSeconds = Duration.ofMinutes(50L).toSeconds(),
+        ),
+        tokenExchangeClient = TokenExchangeClient(httpClient),
+    )
 }
\ No newline at end of file
diff --git a/apps/etterlatte-proxy/src/main/kotlin/auth/DefaultOauth2HttpClient.kt b/apps/etterlatte-proxy/src/main/kotlin/auth/DefaultOauth2HttpClient.kt
index 7bfb39e2..d65b8498 100644
--- a/apps/etterlatte-proxy/src/main/kotlin/auth/DefaultOauth2HttpClient.kt
+++ b/apps/etterlatte-proxy/src/main/kotlin/auth/DefaultOauth2HttpClient.kt
@@ -27,12 +27,12 @@ class DefaultOAuth2HttpClient : OAuth2HttpClient {
     }
 
     // Override default POST with other form parameters specified for Idp request
-    override fun post(oAuth2HttpRequest: OAuth2HttpRequest): OAuth2AccessTokenResponse {
+    override fun post(request: OAuth2HttpRequest): OAuth2AccessTokenResponse {
         return runBlocking {
             defaultHttpClient.submitForm(
-                url = oAuth2HttpRequest.tokenEndpointUrl.toString(),
+                url = request.tokenEndpointUrl.toString(),
                 formParameters = Parameters.build {
-                    oAuth2HttpRequest.formParameters.forEach {
+                    request.formParameters.forEach {
                         append(it.key, it.value)
                     }
                 }
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
index 010a3680..3e62687c 100644
--- a/gradle/libs.versions.toml
+++ b/gradle/libs.versions.toml
@@ -3,7 +3,7 @@ cutterslade-analyze = { id = "ca.cutterslade.analyze", version = "1.9.1" }
 
 
 [versions]
-navfelles-token-version = "3.2.0"
+navfelles-token-version = "4.1.0"
 ktor-version = "2.3.7"
 jupiter-version = "5.10.1"
 cxf-version = "4.0.2"
@@ -18,9 +18,9 @@ navFellesTokenClientCore = { module = "no.nav.security:token-client-core", versi
 tjenestespesifikasjonerTilbakekreving = { module = "com.github.navikt.pensjon-etterlatte-tjenestespesifikasjoner:tilbakekreving-v1-tjenestespesifikasjon", version = "1.78ffd1e"}
 
 #Etterlatte
-etterlatte-common = { module = "pensjon-etterlatte-libs:common", version = "2024.01.05-09.38.6f5ada710f9f"}
-etterlatte-commonTest = { module = "pensjon-etterlatte-libs:common-test", version = "2024.01.05-09.38.6f5ada710f9f"}
-etterlatte-ktorClientAuth = { module = "no.nav.etterlatte:ktor-client-auth", version = "2022.09.28-10.09.cce630926582"}
+etterlatte-common = { module = "pensjon-etterlatte-libs:common", version = "2024.01.17-13.26.695db1c36957"}
+etterlatte-commonTest = { module = "pensjon-etterlatte-libs:common-test", version = "2024.01.17-13.25.695db1c36957"}
+etterlatte-ktorClientAuth = { module = "pensjon-etterlatte-libs:ktor-client-auth", version = "2024.01.17-13.28.695db1c36957"}
 
 #Ktor
 ktor-callLogging = { module = "io.ktor:ktor-server-call-logging", version.ref = "ktor-version"}