Texas-klient

Author: gtcno

texas-klient/src/main/kotlin/no/nav/dagpenger/texas/Config.kt

@@ -9,6 +9,10 @@ import com.natpryce.konfig.stringType
 
 object Config {
     val configuration: Configuration = ConfigurationProperties.systemProperties() overriding EnvironmentVariables()
-    val tokenEndpoint = configuration[Key("nais.token.endpoint", stringType)]
-    val tokenExchangeEndpoint = configuration[Key("nais.token.exhange.endpoint", stringType)]
+    val tokenEndpoint = configuration.tokenEndpoint()
+    val tokenExchangeEndpoint = configuration.tokenExchangeEndpoint()
+
+    fun Configuration.tokenEndpoint() = this[Key("nais.token.endpoint", stringType)]
+
+    fun Configuration.tokenExchangeEndpoint() = this[Key("nais.token.endpoint", stringType)]
 }

texas-klient/src/main/kotlin/no/nav/dagpenger/texas/EntraKlient.kt

@@ -0,0 +1,46 @@
+package no.nav.dagpenger.texas
+
+import io.ktor.client.HttpClient
+
+class EntraKlient(
+    tokenEndpoint: String,
+    tokenExchangeEndpoint: String,
+    introspectEndpoint: String,
+    httpClient: HttpClient = defaultHttpClient(),
+) {
+    companion object {
+        val IDENTITY_PROVIDER = IdentityProvider.ENTRA_ID
+    }
+
+    private val texasKlient: TexasKlient =
+        TexasKlient(
+            tokenEndpoint = tokenEndpoint,
+            tokenExchangeEndpoint = tokenExchangeEndpoint,
+            introspectEndpoint = introspectEndpoint,
+            httpClient = httpClient,
+        )
+
+    suspend fun accessToken(
+        target: String,
+        resource: String? = null,
+        skipCache: Boolean = true,
+    ): TokenResponse =
+        texasKlient.accessToken(
+            target = target,
+            identityProvider = IDENTITY_PROVIDER,
+            resource = resource,
+            skipCache = skipCache,
+        )
+
+    suspend fun exchangeToken(
+        target: String,
+        token: String,
+        skipCache: Boolean = false,
+    ): TokenResponse =
+        texasKlient.exchangeToken(
+            target = target,
+            token = token,
+            identityProvider = IDENTITY_PROVIDER,
+            skipCache = skipCache,
+        )
+}

texas-klient/src/main/kotlin/no/nav/dagpenger/texas/HttpClient.kt

@@ -2,6 +2,7 @@ package no.nav.dagpenger.texas
 
 import com.fasterxml.jackson.annotation.JsonInclude
 import com.fasterxml.jackson.databind.DeserializationFeature
+import com.fasterxml.jackson.databind.module.SimpleModule
 import io.ktor.client.HttpClient
 import io.ktor.client.HttpClientConfig
 import io.ktor.client.call.body
@@ -18,23 +19,27 @@ import io.ktor.serialization.jackson.jackson
 
 fun defaultHttpClient(
     httpClientEngine: HttpClientEngine = CIO.create {},
-    configure: List<HttpClientConfig<*>.() -> Unit> = listOf(defaultRetryConfig()),
+    configure: List<HttpClientConfig<*>.() -> Unit> = listOf(defaultPlugins()),
 ) = HttpClient(httpClientEngine) {
     expectSuccess = true
 
     install(ContentNegotiation) {
         jackson {
             configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false)
             setSerializationInclusion(JsonInclude.Include.NON_NULL)
+            registerModules(
+                SimpleModule().also {
+                    it.addDeserializer(IntrospectResponse::class.java, IntrospectResponseDeserializer)
+                },
+            )
         }
     }
 
     HttpResponseValidator {
-        handleResponseException { cause, request ->
+        handleResponseException { cause, _ ->
             when (cause) {
                 is ClientRequestException -> {
-                    val statusCode = cause.response.status
-                    when (statusCode) {
+                    when (val statusCode = cause.response.status) {
                         HttpStatusCode.BadRequest -> {
                             val errorResponse = cause.response.body<ErrorResponse>()
                             throw BadRequestException(statusCode, errorResponse)
@@ -43,8 +48,7 @@ fun defaultHttpClient(
                 }
 
                 is ServerResponseException -> {
-                    val statusCode = cause.response.status
-                    when (statusCode) {
+                    when (val statusCode = cause.response.status) {
                         HttpStatusCode.InternalServerError -> {
                             val errorResponse = cause.response.body<ErrorResponse>()
                             throw ServerError(statusCode, errorResponse)
@@ -57,7 +61,7 @@ fun defaultHttpClient(
     configure.forEach { it() }
 }
 
-fun defaultRetryConfig(): HttpClientConfig<*>.() -> Unit =
+fun defaultPlugins(): HttpClientConfig<*>.() -> Unit =
     {
         install(HttpRequestRetry) {
             retryOnException(maxRetries = 3, retryOnTimeout = true)

texas-klient/src/main/kotlin/no/nav/dagpenger/texas/IntrospectResponseDeserializer.kt

@@ -0,0 +1,34 @@
+package no.nav.dagpenger.texas
+
+import com.fasterxml.jackson.core.JsonParser
+import com.fasterxml.jackson.core.type.TypeReference
+import com.fasterxml.jackson.databind.DeserializationContext
+import com.fasterxml.jackson.databind.JsonDeserializer
+
+object IntrospectResponseDeserializer : JsonDeserializer<IntrospectResponse>() {
+    override fun deserialize(
+        p: JsonParser,
+        ctxt: DeserializationContext,
+    ): IntrospectResponse {
+        return kotlin.runCatching {
+            val map = p.codec.readValue(p, object : TypeReference<Map<String, Any>>() {})
+            when (map["active"] as Boolean) {
+                true -> {
+                    IntrospectResponse.Valid(
+                        map.filter {
+                            it.key != "active"
+                        },
+                    )
+                }
+
+                false -> {
+                    IntrospectResponse.Invalid(map["error"] as String)
+                }
+            }
+        }.getOrElse { t ->
+            throw ParseException("Failed to parse IntrospectResponse:", t)
+        }
+    }
+}
+
+class ParseException(message: String, cause: Throwable) : RuntimeException(message, cause)

texas-klient/src/main/kotlin/no/nav/dagpenger/texas/TexasKlient.kt

@@ -1,21 +1,40 @@
 package no.nav.dagpenger.texas
 
+import com.fasterxml.jackson.annotation.JsonValue
 import io.ktor.client.HttpClient
 import io.ktor.client.call.body
 import io.ktor.client.request.header
 import io.ktor.client.request.post
 import io.ktor.client.request.setBody
 import io.ktor.http.HttpStatusCode
 
+data class IntrospectRequest(
+    val identity_provider: IdentityProvider,
+    val token: String,
+)
+
+sealed class IntrospectResponse(val active: Boolean) {
+    data class Valid(val claims: Map<String, Any>) : IntrospectResponse(active = true)
+
+    data class Invalid(val error: String) : IntrospectResponse(active = false)
+}
+
+enum class IdentityProvider(
+    @JsonValue
+    val value: String,
+) {
+    ENTRA_ID("azuread"),
+}
+
 data class TokenRequest(
-    val identity_provider: String,
+    val identity_provider: IdentityProvider,
     val target: String,
     val resource: String? = null,
     val skip_cache: Boolean = false,
 )
 
 data class TokenExchangeRequest(
-    val identity_provider: String,
+    val identity_provider: IdentityProvider,
     val target: String,
     val user_token: String,
     val skip_cache: Boolean = false,
@@ -43,55 +62,15 @@ class BadRequestException(httpStatusCode: HttpStatusCode, errorResponse: ErrorRe
 class ServerError(httpStatusCode: HttpStatusCode, errorResponse: ErrorResponse) :
     RequestError(httpStatusCode, errorResponse)
 
-class EntraKlient(
-    tokenEndpoint: String,
-    tokenExchangeEndpoint: String,
-    httpClient: HttpClient = defaultHttpClient(),
-) {
-    companion object {
-        const val IDENTITY_PROVIDER = "azuread"
-    }
-
-    private val texasKlient: TexasKlient =
-        TexasKlient(
-            tokenEndpoint = tokenEndpoint,
-            tokenExchangeEndpoint = tokenExchangeEndpoint,
-            httpClient = httpClient,
-        )
-
-    suspend fun accessToken(
-        target: String,
-        resource: String? = null,
-        skipCache: Boolean = true,
-    ): TokenResponse =
-        texasKlient.accessToken(
-            target = target,
-            identityProvider = IDENTITY_PROVIDER,
-            resource = resource,
-            skipCache = skipCache,
-        )
-
-    suspend fun exchangeToken(
-        target: String,
-        token: String,
-        skipCache: Boolean = false,
-    ): TokenResponse =
-        texasKlient.exchangeToken(
-            target = target,
-            token = token,
-            identityProvider = IDENTITY_PROVIDER,
-            skipCache = skipCache,
-        )
-}
-
 class TexasKlient(
     private val tokenEndpoint: String,
     private val tokenExchangeEndpoint: String,
+    private val introspectEndpoint: String,
     private val httpClient: HttpClient = defaultHttpClient(),
 ) {
     suspend fun accessToken(
         target: String,
-        identityProvider: String,
+        identityProvider: IdentityProvider,
         resource: String? = null,
         skipCache: Boolean,
     ): TokenResponse {
@@ -107,19 +86,40 @@ class TexasKlient(
     suspend fun exchangeToken(
         target: String,
         token: String,
-        identityProvider: String,
+        identityProvider: IdentityProvider,
         skipCache: Boolean,
     ): TokenResponse {
-        return httpClient.post(tokenExchangeEndpoint) {
-            header("Content-Type", "application/json")
-            setBody(
-                TokenExchangeRequest(
-                    identity_provider = identityProvider,
-                    target = target,
-                    user_token = token,
-                    skip_cache = skipCache,
-                ),
-            )
-        }.body<TokenResponse>()
+        return kotlin.runCatching {
+            httpClient.post(tokenExchangeEndpoint) {
+                header("Content-Type", "application/json")
+                setBody(
+                    TokenExchangeRequest(
+                        identity_provider = identityProvider,
+                        target = target,
+                        user_token = token,
+                        skip_cache = skipCache,
+                    ),
+                )
+            }.body<TokenResponse>()
+        }.onFailure {
+        }.getOrThrow()
+    }
+
+    suspend fun introspect(
+        identityProvider: IdentityProvider,
+        token: String,
+    ): IntrospectResponse {
+        return kotlin.runCatching {
+            httpClient.post(introspectEndpoint) {
+                header("Content-Type", "application/json")
+                setBody(
+                    IntrospectRequest(
+                        identity_provider = identityProvider,
+                        token = token,
+                    ),
+                )
+            }.body<IntrospectResponse>()
+        }.onFailure {
+        }.getOrThrow()
     }
 }

texas-klient/src/test/kotlin/no/nav/dagpenger/texas/IntrospectResponseDeserializerTest.kt

@@ -0,0 +1,59 @@
+package no.nav.dagpenger.texas
+
+import com.fasterxml.jackson.databind.module.SimpleModule
+import com.fasterxml.jackson.module.kotlin.jacksonObjectMapper
+import io.kotest.matchers.shouldBe
+import org.junit.jupiter.api.Test
+
+class IntrospectResponseDeserializerTest {
+    private val mapper =
+        jacksonObjectMapper().also {
+            val simpleModule =
+                SimpleModule().also {
+                    it.addDeserializer(IntrospectResponse::class.java, IntrospectResponseDeserializer)
+                }
+            it.registerModule(simpleModule)
+        }
+
+    @Test
+    fun `deserialize valid response`() {
+        //language=json
+        val json =
+            """
+            {
+                "active": true,
+                "sub": "1234567890",
+                "name": "John Doe",
+                "int": 12223,
+                "admin": true
+            }
+            """.trimIndent()
+
+        mapper.readValue(json, IntrospectResponse::class.java) shouldBe
+            IntrospectResponse.Valid(
+                mapOf(
+                    "sub" to "1234567890",
+                    "int" to 12223,
+                    "name" to "John Doe",
+                    "admin" to true,
+                ),
+            )
+    }
+
+    @Test
+    fun `deserialize invalid response`() {
+        //language=json
+        val json =
+            """
+            {
+                "active": false,
+                "error": "This is an error"
+            }
+            """.trimIndent()
+
+        mapper.readValue(json, IntrospectResponse::class.java) shouldBe
+            IntrospectResponse.Invalid(
+                "This is an error",
+            )
+    }
+}

texas-klient/src/test/kotlin/no/nav/dagpenger/texas/TexasKlientTest.kt

@@ -19,9 +19,10 @@ import org.junit.jupiter.api.Test
 
 class TexasKlientTest {
     @Test
-    fun `riktig http verb,headers og body`() {
+    fun `riktig http verb,headers, body  og response ved kall til Texas`() {
         var tokenRequest: HttpRequestData? = null
         var tokenExchangeRequest: HttpRequestData? = null
+        var introspectRequest: HttpRequestData? = null
         runBlocking {
             val mockEngine =
                 MockEngine { request ->
@@ -46,35 +47,76 @@ class TexasKlientTest {
                             )
                         }
 
+                        "introspect" -> {
+                            introspectRequest = request
+                            respond(
+                                // language=json
+                                content = """{ "active": true, "sub": "1234567890", "name": "John Doe", "int": 12223, "admin": true }""",
+                                status = HttpStatusCode.OK,
+                                headers = headersOf(HttpHeaders.ContentType, ContentType.Application.Json.toString()),
+                            )
+                        }
+
                         else -> error("bad url")
                     }
                 }
             TexasKlient(
                 tokenEndpoint = "http://localhost/token",
                 tokenExchangeEndpoint = "http://localhost/tokenexchange",
+                introspectEndpoint = "http://localhost/introspect",
                 httpClient = defaultHttpClient(mockEngine),
             ).let { client ->
                 client.accessToken(
                     target = "target",
-                    identityProvider = "test",
+                    identityProvider = IdentityProvider.ENTRA_ID,
                     skipCache = true,
-                )
+                ) shouldBe
+                    TokenResponse(
+                        access_token = "token",
+                        token_type = "Bearer",
+                        expires_in = 9999,
+                    )
                 requireNotNull(tokenRequest).let { it ->
                     //language=json
-                    String(it.body.toByteArray()) shouldEqualJson """{"identity_provider":"test","target":"target", "skip_cache":true}"""
+                    String(it.body.toByteArray()) shouldEqualJson """{"identity_provider":"azuread","target":"target", "skip_cache":true}"""
                     it.headers[HttpHeaders.Accept] shouldBe ContentType.Application.Json.toString()
                     it.method shouldBe HttpMethod.Post
                 }
 
                 client.exchangeToken(
                     target = "target",
                     token = "user_token",
-                    identityProvider = "test",
+                    identityProvider = IdentityProvider.ENTRA_ID,
                     skipCache = true,
-                )
+                ) shouldBe
+                    TokenResponse(
+                        access_token = "obo_token",
+                        token_type = "Bearer",
+                        expires_in = 9999,
+                    )
                 requireNotNull(tokenExchangeRequest).let {
                     //language=json
-                    String(it.body.toByteArray()) shouldEqualJson """{"identity_provider":"test","target":"target","user_token":"user_token", "skip_cache":true}"""
+                    String(it.body.toByteArray()) shouldEqualJson """{"identity_provider":"azuread","target":"target","user_token":"user_token", "skip_cache":true}"""
+                    it.headers[HttpHeaders.Accept] shouldBe ContentType.Application.Json.toString()
+                    it.method shouldBe HttpMethod.Post
+                }
+
+                client.introspect(
+                    identityProvider = IdentityProvider.ENTRA_ID,
+                    token = "introspect_token",
+                ) shouldBe
+                    IntrospectResponse.Valid(
+                        claims =
+                            mapOf(
+                                "sub" to "1234567890",
+                                "name" to "John Doe",
+                                "int" to 12223,
+                                "admin" to true,
+                            ),
+                    )
+                requireNotNull(introspectRequest).let {
+                    //language=json
+                    String(it.body.toByteArray()) shouldEqualJson """{"identity_provider":"azuread","token":"introspect_token"}"""
                     it.headers[HttpHeaders.Accept] shouldBe ContentType.Application.Json.toString()
                     it.method shouldBe HttpMethod.Post
                 }
@@ -111,12 +153,13 @@ class TexasKlientTest {
             TexasKlient(
                 tokenEndpoint = "http://localhost/token",
                 tokenExchangeEndpoint = "http://localhost/tokenexchange",
+                introspectEndpoint = "http://localhost/introspect",
                 httpClient = defaultHttpClient(mockEngine),
             ).let { client ->
                 shouldThrow<BadRequestException> {
                     client.accessToken(
                         target = "target",
-                        identityProvider = "test",
+                        identityProvider = IdentityProvider.ENTRA_ID,
                         skipCache = true,
                     )
                 }.errorResponse shouldBe ErrorResponse("badrequest", "badrequest description")
@@ -125,7 +168,7 @@ class TexasKlientTest {
                     client.exchangeToken(
                         target = "target",
                         token = "user_token",
-                        identityProvider = "test",
+                        identityProvider = IdentityProvider.ENTRA_ID,
                         skipCache = true,
                     )
                 }.errorResponse shouldBe