Skip to content

Commit

Permalink
Merge pull request #1657 from navikt/dev
Browse files Browse the repository at this point in the history
Merge ta i bruk poao-tilgang and dependabot PRer
  • Loading branch information
sneha-d-desai authored Aug 9, 2024
2 parents 522c090 + 7c4d945 commit 0aabb81
Show file tree
Hide file tree
Showing 20 changed files with 360 additions and 561 deletions.
17 changes: 17 additions & 0 deletions .github/workflows/deploy-opensearch-dev.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
name: Deploy opensearch til Dev
on:
workflow_dispatch:

jobs:
deploy-opensearch:
name: Deploy opensearch
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
steps:
- uses: actions/checkout@v4
- uses: nais/deploy/actions/deploy@v2
env:
CLUSTER: dev-gcp
RESOURCE: ".nais/application/opensearch-dev.yaml"
14 changes: 14 additions & 0 deletions .intelliJ_ddl/DDL.sql
Original file line number Diff line number Diff line change
Expand Up @@ -435,6 +435,20 @@ CREATE TABLE public.fargekategori_kopi_2024_01_16 (
);


--
-- Name: fargekategori_kopi_2024_06_13; Type: TABLE; Schema: public; Owner: -
--

CREATE TABLE public.fargekategori_kopi_2024_06_13 (
id uuid,
fnr character varying(11),
verdi character varying(25),
sist_endret timestamp without time zone,
sist_endret_av_veilederident character varying(7),
enhet_id character varying(4)
);


--
-- Name: flyway_schema_history; Type: TABLE; Schema: public; Owner: -
--
Expand Down
25 changes: 25 additions & 0 deletions .nais/application/opensearch-dev.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
apiVersion: aiven.io/v1alpha1
kind: OpenSearch
metadata:
labels:
team: obo
name: opensearch-obo-veilarbportefolje
namespace: obo
spec:
plan: startup-4
project: nav-dev

---

apiVersion: aiven.io/v1alpha1
kind: ServiceIntegration
metadata:
labels:
team: obo
name: opensearch-obo-veilarbportefolje
namespace: obo
spec:
project: nav-dev
integrationType: prometheus
destinationEndpointId: f20f5b48-18f4-4e2a-8e5f-4ab3edb19733
sourceServiceName: opensearch-obo-veilarbportefolje
13 changes: 4 additions & 9 deletions pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@
<maven.compiler.source>21</maven.compiler.source>
<maven.compiler.target>21</maven.compiler.target>
<maven.compiler.release>21</maven.compiler.release>
<unleash.version>9.2.2</unleash.version>
<unleash.version>9.2.4</unleash.version>
</properties>

<build>
Expand Down Expand Up @@ -218,7 +218,7 @@
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<version>1.18.32</version>
<version>1.18.34</version>
</dependency>
<dependency>
<groupId>io.vavr</groupId>
Expand All @@ -228,11 +228,6 @@


<!-- Common -->
<dependency>
<groupId>com.github.navikt.common-java-modules</groupId>
<artifactId>abac</artifactId>
<version>${common.version}</version>
</dependency>
<dependency>
<groupId>com.github.navikt.common-java-modules</groupId>
<artifactId>rest</artifactId>
Expand Down Expand Up @@ -311,7 +306,7 @@
<dependency>
<groupId>org.opensearch.client</groupId>
<artifactId>opensearch-rest-high-level-client</artifactId>
<version>2.14.0</version>
<version>2.15.0</version>
</dependency>

<!--Diverse-->
Expand Down Expand Up @@ -359,7 +354,7 @@
<dependency>
<groupId>org.springdoc</groupId>
<artifactId>springdoc-openapi-starter-webmvc-ui</artifactId>
<version>2.5.0</version>
<version>2.6.0</version>
</dependency>

<!--TEST-->
Expand Down
97 changes: 30 additions & 67 deletions src/main/java/no/nav/pto/veilarbportefolje/auth/AuthService.java
Original file line number Diff line number Diff line change
Expand Up @@ -6,15 +6,10 @@
import lombok.Data;
import lombok.experimental.Accessors;
import lombok.extern.slf4j.Slf4j;
import no.nav.common.abac.Pep;
import no.nav.common.abac.domain.request.ActionId;
import no.nav.common.metrics.Event;
import no.nav.common.metrics.MetricsClient;
import no.nav.common.token_client.client.AzureAdMachineToMachineTokenClient;
import no.nav.common.token_client.client.AzureAdOnBehalfOfTokenClient;
import no.nav.common.types.identer.EnhetId;
import no.nav.common.types.identer.Fnr;
import no.nav.common.types.identer.NavIdent;
import no.nav.poao_tilgang.client.Decision;
import no.nav.pto.veilarbportefolje.domene.Bruker;
import no.nav.pto.veilarbportefolje.domene.value.VeilederId;
Expand All @@ -30,31 +25,24 @@
import static no.nav.common.client.utils.CacheUtils.tryCacheFirst;
import static no.nav.pto.veilarbportefolje.auth.AuthUtils.getInnloggetBrukerToken;
import static no.nav.pto.veilarbportefolje.auth.AuthUtils.getInnloggetVeilederIdent;
import static no.nav.pto.veilarbportefolje.util.SecureLog.secureLog;

@Service
@Slf4j
public class AuthService {
private final AzureAdOnBehalfOfTokenClient aadOboTokenClient;
private final AzureAdMachineToMachineTokenClient aadM2MTokenClient;
private final PoaoTilgangWrapper poaoTilgangWrapper;
private final Pep veilarbPep;
private final Cache<VeilederPaEnhet, Boolean> harVeilederTilgangTilEnhetCache;
private final MetricsClient metricsClient;

@Autowired
public AuthService(
AzureAdOnBehalfOfTokenClient aadOboTokenClient,
AzureAdMachineToMachineTokenClient aadM2MTokenClient,
PoaoTilgangWrapper poaoTilgangWrapper,
Pep veilarbPep,
MetricsClient metricsClient
PoaoTilgangWrapper poaoTilgangWrapper
) {
this.aadOboTokenClient = aadOboTokenClient;
this.aadM2MTokenClient = aadM2MTokenClient;
this.poaoTilgangWrapper = poaoTilgangWrapper;
this.veilarbPep = veilarbPep;
this.metricsClient = metricsClient;
this.harVeilederTilgangTilEnhetCache = Caffeine.newBuilder()
.expireAfterWrite(1, TimeUnit.HOURS)
.maximumSize(6000)
Expand All @@ -74,30 +62,31 @@ public void innloggetVeilederHarTilgangTilEnhet(String enhet) {
}

public boolean harVeilederTilgangTilEnhet(String veilederId, String enhet) {
Boolean abacResponse = tryCacheFirst(harVeilederTilgangTilEnhetCache, new VeilederPaEnhet(veilederId, enhet),
() -> veilarbPep.harVeilederTilgangTilEnhet(NavIdent.of(veilederId), EnhetId.of(enhet)));
poaoTilgangWrapper.harVeilederTilgangTilEnhet(EnhetId.of(enhet));
return abacResponse;
return tryCacheFirst(
harVeilederTilgangTilEnhetCache,
new VeilederPaEnhet(veilederId, enhet),
poaoTilgangWrapper.harVeilederTilgangTilEnhet(EnhetId.of(enhet))::isPermit
);
}

public void innloggetVeilederHarTilgangTilBruker(String fnr) {
boolean abacResponse = veilarbPep.harTilgangTilPerson(getInnloggetBrukerToken(), ActionId.READ, Fnr.of(fnr));
poaoTilgangWrapper.harTilgangTilPerson(Fnr.of(fnr));
AuthUtils.test("tilgangTilBruker", fnr, abacResponse);
boolean response = poaoTilgangWrapper.harTilgangTilPerson(Fnr.of(fnr)).isPermit();
AuthUtils.test("tilgangTilBruker", fnr, response);
}

public List<Bruker> sensurerBrukere(List<Bruker> brukere) {
String veilederIdent = getInnloggetVeilederIdent().toString();
return brukere.stream()
.map(bruker -> fjernKonfidensiellInfoDersomIkkeTilgang(bruker, veilederIdent))
.map(this::fjernKonfidensiellInfoDersomIkkeTilgang)
.collect(toList());
}

public Bruker fjernKonfidensiellInfoDersomIkkeTilgang(Bruker bruker, String veilederIdent) {
public Bruker fjernKonfidensiellInfoDersomIkkeTilgang(Bruker bruker) {
if (bruker.getBarnUnder18AarData() != null) {
bruker.setBarnUnder18AarData(bruker.getBarnUnder18AarData().stream().filter(barnUnder18AarData ->
harVeilederTilgangTilBarn(barnUnder18AarData, veilederIdent)
).toList());
bruker.setBarnUnder18AarData(
bruker.getBarnUnder18AarData().stream().filter(
this::harVeilederTilgangTilBarn
).toList()
);
}

if (!bruker.erKonfidensiell()) {
Expand All @@ -106,62 +95,36 @@ public Bruker fjernKonfidensiellInfoDersomIkkeTilgang(Bruker bruker, String veil

String diskresjonskode = bruker.getDiskresjonskode();

if (Adressebeskyttelse.STRENGT_FORTROLIG.diskresjonskode.equals(diskresjonskode) && !harVeilederTilgangTilKode6(NavIdent.of(veilederIdent))) {
if (Adressebeskyttelse.STRENGT_FORTROLIG.diskresjonskode.equals(diskresjonskode) && !harVeilederTilgangTilKode6()) {
return AuthUtils.fjernKonfidensiellInfo(bruker);
}
if (Adressebeskyttelse.FORTROLIG.diskresjonskode.equals(diskresjonskode) && !harVeilederTilgangTilKode7(NavIdent.of(veilederIdent))) {
if (Adressebeskyttelse.FORTROLIG.diskresjonskode.equals(diskresjonskode) && !harVeilederTilgangTilKode7()) {
return AuthUtils.fjernKonfidensiellInfo(bruker);
}
if (bruker.isEgenAnsatt() && !harVeilederTilgangTilEgenAnsatt(NavIdent.of(veilederIdent))) {
if (bruker.isEgenAnsatt() && !harVeilederTilgangTilEgenAnsatt()) {
return AuthUtils.fjernKonfidensiellInfo(bruker);
}
return bruker;
}

public boolean harVeilederTilgangTilKode6(NavIdent veilederIdent) {
boolean abacResponse = veilarbPep.harVeilederTilgangTilKode6(veilederIdent);
Decision decision = poaoTilgangWrapper.harVeilederTilgangTilKode6();
if (decision.isPermit() != abacResponse) {
metricsClient.report(new Event("poao-tilgang-diff").addTagToReport("method", "harVeilederTilgangTilKode6"));
secureLog.warn("Fortrolig diff between abac and poao-tilgang for veileder. Poao-tilgang decision is: " + decision.isPermit());
}
return abacResponse;
}

public boolean harVeilederTilgangTilKode6() {
String veilederIdent = getInnloggetVeilederIdent().toString();
return harVeilederTilgangTilKode6(NavIdent.of(veilederIdent));
}

public boolean harVeilederTilgangTilKode7(NavIdent veilederIdent) {
boolean abacResponse = veilarbPep.harVeilederTilgangTilKode7(veilederIdent);
Decision decision = poaoTilgangWrapper.harVeilederTilgangTilKode7();
if (decision.isPermit() != abacResponse) {
metricsClient.report(new Event("poao-tilgang-diff").addTagToReport("method", "harVeilederTilgangTilKode7"));
secureLog.warn("Streng diff between abac and poao-tilgang for veileder. Poao-tilgang decision is: " + decision.isPermit());
}
return abacResponse;
Decision decision = poaoTilgangWrapper.harVeilederTilgangTilKode6();
return decision.isPermit();
}

public boolean harVeilederTilgangTilKode7() {
String veilederIdent = getInnloggetVeilederIdent().toString();
return harVeilederTilgangTilKode7(NavIdent.of(veilederIdent));
Decision decision = poaoTilgangWrapper.harVeilederTilgangTilKode7();
return decision.isPermit();
}

public boolean harVeilederTilgangTilEgenAnsatt(NavIdent veilederIdent) {
boolean abacResponse = veilarbPep.harVeilederTilgangTilEgenAnsatt(veilederIdent);
Decision decision = poaoTilgangWrapper.harVeilederTilgangTilEgenAnsatt();
if (decision.isPermit() != abacResponse) {
secureLog.warn("Diff between abac and poao-tilgang for veileder: " + veilederIdent + ". Poao-tilgang decision is: " + decision.isPermit());
}
return abacResponse;
public boolean harVeilederTilgangTilEgenAnsatt() {
return poaoTilgangWrapper.harVeilederTilgangTilEgenAnsatt().isPermit();
}

public BrukerinnsynTilganger hentVeilederBrukerInnsynTilganger() {
String veilederId = getInnloggetVeilederIdent().toString();
boolean tilgangTilAdressebeskyttelseStrengtFortrolig = harVeilederTilgangTilKode6(NavIdent.of(veilederId));
boolean tilgangTilAdressebeskyttelseFortrolig = harVeilederTilgangTilKode7(NavIdent.of(veilederId));
boolean tilgangEgenAnsatt = harVeilederTilgangTilEgenAnsatt(NavIdent.of(veilederId));
boolean tilgangTilAdressebeskyttelseStrengtFortrolig = harVeilederTilgangTilKode6();
boolean tilgangTilAdressebeskyttelseFortrolig = harVeilederTilgangTilKode7();
boolean tilgangEgenAnsatt = harVeilederTilgangTilEgenAnsatt();

return new BrukerinnsynTilganger(tilgangTilAdressebeskyttelseStrengtFortrolig, tilgangTilAdressebeskyttelseFortrolig, tilgangEgenAnsatt);
}
Expand All @@ -174,13 +137,13 @@ public String getM2MToken(String tokenScope) {
return aadM2MTokenClient.createMachineToMachineToken(tokenScope);
}

public boolean harVeilederTilgangTilBarn(BarnUnder18AarData barn, String veilederIdent) {
public boolean harVeilederTilgangTilBarn(BarnUnder18AarData barn) {
if (barn.getDiskresjonskode() != null && (barn.getDiskresjonskode().equals(Adressebeskyttelse.STRENGT_FORTROLIG.diskresjonskode)
|| barn.getDiskresjonskode().equals(Adressebeskyttelse.STRENGT_FORTROLIG_UTLAND.diskresjonskode))) {
return harVeilederTilgangTilKode6(NavIdent.of(veilederIdent));
return harVeilederTilgangTilKode6();
}
if (barn.getDiskresjonskode() != null && barn.getDiskresjonskode().equals(Adressebeskyttelse.FORTROLIG.diskresjonskode)) {
return harVeilederTilgangTilKode7(NavIdent.of(veilederIdent));
return harVeilederTilgangTilKode7();
}
return true;
}
Expand Down
Original file line number Diff line number Diff line change
@@ -1,8 +1,5 @@
package no.nav.pto.veilarbportefolje.config;

import no.nav.common.abac.Pep;
import no.nav.common.abac.VeilarbPepFactory;
import no.nav.common.abac.audit.SpringAuditRequestInfoSupplier;
import no.nav.common.auth.context.AuthContextHolder;
import no.nav.common.client.aktoroppslag.AktorOppslagClient;
import no.nav.common.client.aktoroppslag.CachedAktorOppslagClient;
Expand All @@ -13,7 +10,6 @@
import no.nav.common.metrics.MetricsClient;
import no.nav.common.rest.client.RestClient;
import no.nav.common.token_client.client.AzureAdMachineToMachineTokenClient;
import no.nav.common.utils.Credentials;
import no.nav.pto.veilarbportefolje.arbeidssoeker.v2.OppslagArbeidssoekerregisteretClient;
import no.nav.pto.veilarbportefolje.auth.AuthService;
import no.nav.pto.veilarbportefolje.auth.PoaoTilgangWrapper;
Expand All @@ -23,13 +19,9 @@
import no.nav.pto.veilarbportefolje.vedtakstotte.VedtaksstotteClient;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

import java.net.http.HttpClient;
import java.util.function.Supplier;

import static no.nav.common.utils.NaisUtils.getCredentials;


@Configuration
public class ClientConfig {

Expand Down Expand Up @@ -64,17 +56,6 @@ public VedtaksstotteClient vedtaksstotteClient(
);
}

@Bean
public Pep veilarbPep(EnvironmentProperties properties) {
Credentials serviceUserCredentials = getCredentials("service_user");
return VeilarbPepFactory.get(
properties.getAbacVeilarbUrl(),
serviceUserCredentials.username,
serviceUserCredentials.password,
new SpringAuditRequestInfoSupplier()
);
}

@Bean
public HttpClient httpClient() {
return HttpClient.newBuilder().build();
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,6 @@ public class EnvironmentProperties {
private String dbUrl;
private String unleashUrl;
private String unleashApiToken;
private String abacVeilarbUrl;
private String opensearchUri;
private String opensearchUsername;
private String opensearchPassword;
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
package no.nav.pto.veilarbportefolje.config;

import no.nav.common.abac.Pep;
import no.nav.common.health.HealthCheckResult;
import no.nav.common.health.selftest.SelfTestCheck;
import no.nav.common.health.selftest.SelfTestChecks;
Expand All @@ -20,14 +19,12 @@ public class HelsesjekkConfig {

@Bean
public SelfTestChecks selfTestChecks(AktorClient aktorClient,
Pep veilarbPep,
JdbcTemplate jdbcTemplate,
OpensearchHealthCheck opensearchHealthCheck) {
List<SelfTestCheck> asyncSelftester = List.of(
new SelfTestCheck(String.format("Sjekker at antall dokumenter > %s", FORVENTET_MINIMUM_ANTALL_DOKUMENTER), false, opensearchHealthCheck),
new SelfTestCheck("Database for portefolje", true, () -> dbPinger(jdbcTemplate)),
new SelfTestCheck("Aktorregister", true, aktorClient),
new SelfTestCheck("ABAC", true, veilarbPep.getAbacClient())
new SelfTestCheck("Aktorregister", true, aktorClient)
);
return new SelfTestChecks(asyncSelftester);
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -87,7 +87,7 @@ public BrukereMedAntall hentBrukere(

if (filtervalg.harBarnUnder18AarFilter()) {
if (filtervalg.barnUnder18AarAlder != null && !filtervalg.barnUnder18AarAlder.isEmpty()) {
String[] fraTilAlder = filtervalg.barnUnder18AarAlder.get(0).split("-");
String[] fraTilAlder = filtervalg.barnUnder18AarAlder.getFirst().split("-");
int fraAlder = parseInt(fraTilAlder[0]);
int tilAlder = parseInt(fraTilAlder[1]);
leggTilBarnAlderFilter(boolQuery, authService.harVeilederTilgangTilKode6(), authService.harVeilederTilgangTilKode7(), fraAlder, tilAlder);
Expand Down
1 change: 0 additions & 1 deletion src/main/resources/application.properties
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,6 @@ app.env.opensearchPassword=${OPEN_SEARCH_PASSWORD}
app.env.unleashUrl=${UNLEASH_SERVER_API_URL}/api
app.env.unleashApiToken=${UNLEASH_SERVER_API_TOKEN}
app.env.dbUrl=${VEILARBPORTEFOLJE_POSTGRES_DB_URL}
app.env.abac-veilarb-url=${ABAC_PDP_ENDPOINT_URL}
app.env.naisAadDiscoveryUrl=${AZURE_APP_WELL_KNOWN_URL:null}
app.env.naisAadClientId=${AZURE_APP_CLIENT_ID:null}
app.env.kodeverkUrl=${KODEVERK_URL}
Expand Down
Loading

0 comments on commit 0aabb81

Please sign in to comment.