Sanere openambruk før nyttår (#1224)

Author: jolarsen

felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/Token.java

@@ -66,9 +66,8 @@ public SluttBruker getSluttBruker() {
 
     private static TokenType utledTokenType(OpenIDToken token) {
         return switch (token.provider()) {
-            case ISSO, STS, AZUREAD -> TokenType.OIDC;
+            case STS, AZUREAD -> TokenType.OIDC;
             case TOKENX -> TokenType.TOKENX;
-            case IDPORTEN -> throw new IllegalStateException("IdPorten token støttes ikke.");
         };
     }
 

felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/TokenProvider.java

@@ -20,7 +20,7 @@ public interface TokenProvider {
     SluttBruker getSluttBruker();
 
     /**
-     * OIDC tokenet til brukeren. Helst fra følgende providere: Tokendings, AzureAD, STS, OpenAM.
+     * OIDC tokenet til brukeren. Helst fra følgende providere: TokenX, AzureAD, STS.
      * Sendes til PDP (Policy Decision Point) og gir informasjon til ABAC om subject og auth level.
      * @return bruker OIDC token.
      */

felles/abac/src/test/resources/application.properties

@@ -1,7 +1,5 @@
 package no.nav.vedtak.log.audit;
 
-import java.util.Objects;
-
 import javax.enterprise.context.Dependent;
 import javax.inject.Inject;
 

felles/log/src/main/java/no/nav/vedtak/log/audit/Auditlogger.java

@@ -2,16 +2,15 @@
 
 import java.net.URI;
 
-public final record OpenIDConfiguration(OpenIDProvider type,
-                                        URI issuer,
-                                        URI jwksUri,
-                                        URI tokenEndpoint,
-                                        URI authorizationEndpoint,
-                                        boolean useProxyForJwks,
-                                        URI proxy,
-                                        String clientId,
-                                        String clientSecret, // Settes nå kun for openam. Vurder økt bruk. Noen providers buker jws.
-                                        boolean skipAudienceValidation) {
+public record OpenIDConfiguration(OpenIDProvider type,
+                                  URI issuer,
+                                  URI jwksUri,
+                                  URI tokenEndpoint,
+                                  boolean useProxyForJwks,
+                                  URI proxy,
+                                  String clientId,
+                                  String clientSecret,
+                                  boolean skipAudienceValidation) {
     @Override
     public String toString() {
         return "OpenIDConfiguration{" +

felles/oidc/src/main/java/no/nav/vedtak/sikkerhet/oidc/config/OpenIDConfiguration.java

@@ -1,9 +1,7 @@
 package no.nav.vedtak.sikkerhet.oidc.config;
 
 public enum OpenIDProvider {
-    ISSO,
     STS,
     AZUREAD,
-    TOKENX,
-    IDPORTEN
+    TOKENX
 }

felles/oidc/src/main/java/no/nav/vedtak/sikkerhet/oidc/config/OpenIDProvider.java

@@ -1,6 +1,5 @@
 package no.nav.vedtak.sikkerhet.oidc.config.impl;
 
-import static no.nav.vedtak.sikkerhet.oidc.config.impl.WellKnownConfigurationHelper.getAuthorizationEndpointFra;
 import static no.nav.vedtak.sikkerhet.oidc.config.impl.WellKnownConfigurationHelper.getIssuerFra;
 import static no.nav.vedtak.sikkerhet.oidc.config.impl.WellKnownConfigurationHelper.getJwksFra;
 import static no.nav.vedtak.sikkerhet.oidc.config.impl.WellKnownConfigurationHelper.getTokenEndpointFra;
@@ -26,24 +25,16 @@ public final class OidcProviderConfig {
     private static final Environment ENV = Environment.current();
     private static final Logger LOG = LoggerFactory.getLogger(OidcProviderConfig.class);
 
-    public static final String OPEN_AM_WELL_KNOWN_URL = "oidc.open.am.well.known.url";
-    private static final String OPEN_AM_CONFIG_ISSUER = "oidc.open.am.openid.config.issuer";
-    private static final String OPEN_AM_CONFIG_JWKS_URI = "oidc.open.am.openid.config.jwks.uri";
-    private static final String OPEN_AM_CONFIG_TOKEN_ENDPOINT = "oidc.open.am.openid.config.token.endpoint";
-    private static final String OPEN_AM_CONFIG_AUTH_ENDPOINT = "oidc.open.am.openid.config.authorization.endpoint";
-    public static final String OPEN_AM_CLIENT_ID = "oidc.open.am.client.id";
-    public static final String OPEN_AM_CLIENT_SECRET = "oidc.open.am.client.secret";
-
     private static final String STS_WELL_KNOWN_URL = "oidc.sts.well.known.url";
     private static final String STS_CONFIG_ISSUER = "oidc.sts.openid.config.issuer";
     private static final String STS_CONFIG_JWKS_URI = "oidc.sts.openid.config.jwks.uri";
     private static final String STS_CONFIG_TOKEN_ENDPOINT = "oidc.sts.openid.config.token.endpoint";
 
-    private static final String AZURE_WELL_KNOWN_URL = "azure.app.well.known.url"; // naiserator
-    private static final String AZURE_CONFIG_ISSUER = "azure.openid.config.issuer"; // naiserator
-    private static final String AZURE_CONFIG_JWKS_URI = "azure.openid.config.jwks.uri"; // naiserator
+    public  static final String AZURE_WELL_KNOWN_URL = "azure.app.well.known.url"; // naiserator
+    public  static final String AZURE_CONFIG_ISSUER = "azure.openid.config.issuer"; // naiserator
+    public  static final String AZURE_CONFIG_JWKS_URI = "azure.openid.config.jwks.uri"; // naiserator
     private static final String AZURE_CONFIG_TOKEN_ENDPOINT = "azure.openid.config.token.endpoint"; // naiserator
-    private static final String AZURE_CLIENT_ID = "azure.app.client.id"; // naiserator
+    public  static final String AZURE_CLIENT_ID = "azure.app.client.id"; // naiserator
     private static final String AZURE_CLIENT_SECRET = "azure.app.client.secret"; // naiserator
     private static final String AZURE_HTTP_PROXY = "azure.http.proxy"; // settes ikke av naiserator
 
@@ -97,15 +88,12 @@ private static synchronized Set<OpenIDConfiguration> init() {
     private static Set<OpenIDConfiguration> hentConfig() {
         Set<OpenIDConfiguration> idProviderConfigs = new HashSet<>();
 
-        // OpenAM
-        idProviderConfigs.add(createOpenAmConfiguration(ENV.getProperty(OPEN_AM_WELL_KNOWN_URL)));
-
         // OIDC STS
-        if (ENV.getProperty(STS_WELL_KNOWN_URL) != null || ENV.getProperty("oidc.sts.issuer.url") != null || ENV.getProperty(STS_CONFIG_ISSUER) != null) { // Det er kanskje noen apper som ikke bruker STS token validering??
+        if (ENV.getProperty(STS_WELL_KNOWN_URL) != null || ENV.getProperty(STS_CONFIG_ISSUER) != null) { // Det er kanskje noen apper som ikke bruker STS token validering??
             idProviderConfigs.add(createStsConfiguration(ENV.getProperty(STS_WELL_KNOWN_URL)));
         }
 
-        // Azure
+        // Azure - ikke alle apps trenger denne (tokenx-apps)
         var azureKonfigUrl = ENV.getProperty(AZURE_WELL_KNOWN_URL);
         if (azureKonfigUrl != null) {
             LOG.debug("Oppretter AzureAD konfig fra '{}'", azureKonfigUrl);
@@ -127,52 +115,20 @@ private static Set<OpenIDConfiguration> hentConfig() {
         return idProviderConfigs;
     }
 
-    private static OpenIDConfiguration createOpenAmConfiguration(String wellKnownUrl) {
-        return createConfiguration(OpenIDProvider.ISSO,
-            Optional.ofNullable(ENV.getProperty(OPEN_AM_CONFIG_ISSUER))
-                .or(() -> getIssuerFra(wellKnownUrl))
-                .orElseGet(OpenAmProperties::getIssoIssuerUrl),
-            Optional.ofNullable(ENV.getProperty(OPEN_AM_CONFIG_JWKS_URI))
-                .or(() -> getJwksFra(wellKnownUrl))
-                .orElseGet(OpenAmProperties::getIssoJwksUrl),
-            Optional.ofNullable(ENV.getProperty(OPEN_AM_CONFIG_TOKEN_ENDPOINT))
-                .or(() -> getTokenEndpointFra(wellKnownUrl))
-                .orElseGet(OpenAmProperties::getIssoTokenUrl),
-            Optional.ofNullable(ENV.getProperty(OPEN_AM_CONFIG_AUTH_ENDPOINT))
-                .or(() -> getAuthorizationEndpointFra(wellKnownUrl))
-                .orElseGet(OpenAmProperties::getIssoAuthUrl),
-            false, null,
-            Optional.ofNullable(ENV.getProperty(OPEN_AM_CLIENT_ID))
-                .orElseGet(OpenAmProperties::getIssoUserName),
-            Optional.ofNullable(ENV.getProperty(OPEN_AM_CLIENT_SECRET))
-                .orElseGet(OpenAmProperties::getIssoPassword),
-            true);
-    }
-
     private static OpenIDConfiguration createStsConfiguration(String wellKnownUrl) {
         return createConfiguration(OpenIDProvider.STS,
             Optional.ofNullable(ENV.getProperty(STS_CONFIG_ISSUER))
-                .or(() -> getIssuerFra(wellKnownUrl))
-                .orElseGet(() -> ENV.getProperty("oidc.sts.issuer.url")),
+                .or(() -> getIssuerFra(wellKnownUrl)).orElse(null),
             Optional.ofNullable(ENV.getProperty(STS_CONFIG_JWKS_URI))
-                .or(() -> getJwksFra(wellKnownUrl))
-                .orElseGet(() -> ENV.getProperty("oidc.sts.jwks.url")),
+                .or(() -> getJwksFra(wellKnownUrl)).orElse(null),
             Optional.ofNullable(ENV.getProperty(STS_CONFIG_TOKEN_ENDPOINT))
-                .or(() -> getTokenEndpointFra(wellKnownUrl))
-                .orElseGet(OidcProviderConfig::tokenEndpointFromLegacySTS),
-            null,
+                .or(() -> getTokenEndpointFra(wellKnownUrl)).orElse(null),
             false, null,
             ENV.getProperty("systembruker.username"),
-            null,
+            ENV.getProperty("systembruker.password"),
             true);
     }
 
-    private static String tokenEndpointFromLegacySTS() {
-        var issuer =  ENV.getProperty("oidc.sts.issuer.url");
-        var endpointpath = Optional.ofNullable(ENV.getProperty("oidc.sts.token.path")).orElse("/rest/v1/sts/token");
-        return issuer != null ? issuer + endpointpath : null;
-    }
-
     @SuppressWarnings("unused")
     private static OpenIDConfiguration createAzureAppConfiguration(String wellKnownUrl) {
         var useProxy = ENV.isLocal() ? null : URI.create(ENV.getProperty(AZURE_HTTP_PROXY, getDefaultProxy()));
@@ -183,9 +139,6 @@ private static OpenIDConfiguration createAzureAppConfiguration(String wellKnownU
                 .orElseGet(() -> getJwksFra(wellKnownUrl, useProxy).orElse(null)),
             Optional.ofNullable(ENV.getProperty(AZURE_CONFIG_TOKEN_ENDPOINT))
                 .orElseGet(() -> getTokenEndpointFra(wellKnownUrl, useProxy).orElse(null)),
-            Optional.ofNullable(ENV.getProperty(AZURE_CONFIG_TOKEN_ENDPOINT))
-                .map(s -> s.replace("/token", "/authorize"))
-                .orElseGet(() -> getAuthorizationEndpointFra(wellKnownUrl, useProxy).orElse(null)),
             !ENV.isLocal(), useProxy,
             ENV.getRequiredProperty(AZURE_CLIENT_ID),
             ENV.getProperty(AZURE_CLIENT_SECRET),
@@ -197,7 +150,6 @@ private static OpenIDConfiguration createTokenXConfiguration(String wellKnownUrl
             getIssuerFra(wellKnownUrl).orElseThrow(),
             getJwksFra(wellKnownUrl).orElseThrow(),
             getTokenEndpointFra(wellKnownUrl).orElse(null),
-            getAuthorizationEndpointFra(wellKnownUrl).orElse(null),
             false, null,
             ENV.getRequiredProperty(TOKEN_X_CLIENT_ID),
             null, // Signerer requests med jws
@@ -208,7 +160,6 @@ private static OpenIDConfiguration createConfiguration(OpenIDProvider type,
                                                            String issuer,
                                                            String jwks,
                                                            String tokenEndpoint,
-                                                           String authorizationEndpoint,
                                                            boolean useProxyForJwks,
                                                            URI proxy,
                                                            String clientName,
@@ -218,7 +169,6 @@ private static OpenIDConfiguration createConfiguration(OpenIDProvider type,
             tilURI(issuer, "issuer", type),
             tilURI(jwks, "jwksUri", type),
             tokenEndpoint != null ? tilURI(tokenEndpoint, "tokenEndpoint", type) : null,
-            authorizationEndpoint != null ? tilURI(authorizationEndpoint, "authorizationEndpoint", type) : null,
             useProxyForJwks,
             proxy,
             Objects.requireNonNull(clientName),

felles/oidc/src/main/java/no/nav/vedtak/sikkerhet/oidc/config/impl/OidcProviderConfig.java

@@ -28,7 +28,8 @@ public class WellKnownConfigurationHelper {
     private static final Logger LOG = LoggerFactory.getLogger(WellKnownConfigurationHelper.class);
     private static final Environment ENV = Environment.current();
     private static final ObjectReader READER = DefaultJsonMapper.getObjectMapper().readerFor(WellKnownOpenIdConfiguration.class);
-    private static final String STANDARD_WELL_KNOWN_PATH = ".well-known/openid-configuration";
+
+    public static final String STANDARD_WELL_KNOWN_PATH = ".well-known/openid-configuration";
 
     private static Map<String, WellKnownOpenIdConfiguration> wellKnownConfigMap = Collections.synchronizedMap(new LinkedHashMap<>());
 
@@ -67,14 +68,6 @@ static Optional<String> getTokenEndpointFra(String wellKnownURL, URI proxyUrl) {
         return Optional.ofNullable(wellKnownURL).map(u -> getWellKnownConfig(u, proxyUrl).token_endpoint());
     }
 
-    static Optional<String> getAuthorizationEndpointFra(String wellKnownURL) {
-        return Optional.ofNullable(wellKnownURL).map(u -> getWellKnownConfig(u, null).authorization_endpoint());
-    }
-
-    static Optional<String> getAuthorizationEndpointFra(String wellKnownURL, URI proxyUrl) {
-        return Optional.ofNullable(wellKnownURL).map(u -> getWellKnownConfig(u, proxyUrl).authorization_endpoint());
-    }
-
     private static WellKnownOpenIdConfiguration hentWellKnownConfig(String wellKnownURL, URI proxy) {
         try {
             if (wellKnownURL == null) return null;

felles/oidc/src/main/java/no/nav/vedtak/sikkerhet/oidc/config/impl/OpenAmProperties.java

@@ -6,7 +6,6 @@
  */
 public record WellKnownOpenIdConfiguration(String issuer,
                                            String jwks_uri,
-                                           String token_endpoint,
-                                           String authorization_endpoint) {
+                                           String token_endpoint) {
 
 }

felles/oidc/src/main/java/no/nav/vedtak/sikkerhet/oidc/config/impl/WellKnownConfigurationHelper.java

@@ -11,7 +11,6 @@ public record OpenIDToken(OpenIDProvider provider,
                           String tokenType,
                           TokenString primary,
                           String scope,
-                          TokenString refresh,
                           long expiresAtMillis) {
 
     public static final String OIDC_DEFAULT_TOKEN_TYPE = "Bearer ";
@@ -21,24 +20,15 @@ public record OpenIDToken(OpenIDProvider provider,
     private static final int BUFFER = 120;
 
     public OpenIDToken(OpenIDProvider provider, TokenString token) {
-        this(provider, OIDC_DEFAULT_TOKEN_TYPE, token, null, null,System.currentTimeMillis() + (150 * MILLIS));
+        this(provider, OIDC_DEFAULT_TOKEN_TYPE, token, null, System.currentTimeMillis() + (150 * MILLIS));
     }
 
     public OpenIDToken(OpenIDProvider provider,
                        String tokenType,
                        TokenString primary,
                        String scope,
                        Integer expireIn) {
-        this(provider, tokenType, primary, scope, null, expireIn);
-    }
-
-    public OpenIDToken(OpenIDProvider provider,
-                       String tokenType,
-                       TokenString primary,
-                       String scope,
-                       TokenString refresh,
-                       Integer expireIn) {
-        this(provider, tokenType, primary, scope, refresh, expireAtFromExpireIn(expireIn));
+        this(provider, tokenType, primary, scope, expireAtFromExpireIn(expireIn));
     }
 
     public boolean isNotExpired() {
@@ -50,17 +40,13 @@ public LocalDateTime expiresAt() {
     }
 
     public OpenIDToken copy() {
-        return new OpenIDToken(provider(), tokenType(), primary(), scope(), this.refresh(), expiresAtMillis());
+        return new OpenIDToken(provider(), tokenType(), primary(), scope(), expiresAtMillis());
     }
 
     public String token() {
         return primary().token();
     }
 
-    public Optional<String> refreshToken() {
-        return Optional.ofNullable(this.refresh()).map(TokenString::token);
-    }
-
     @Override
     public String toString() {
         return "OpenIDToken{" +

felles/oidc/src/main/java/no/nav/vedtak/sikkerhet/oidc/config/impl/WellKnownOpenIdConfiguration.java

@@ -82,7 +82,10 @@ private static OidcTokenResponse hentAccessToken(String clientId, String clientS
 
     private static HttpRequest.BodyPublisher ofFormData(String clientId, String clientSecret, String scope) {
         var encodedScope = URLEncoder.encode(scope, UTF_8);
-        var formdata = "grant_type=client_credentials&client_id=" + clientId + "&client_secret=" + clientSecret + "&scope=" + encodedScope;
+        var formdata = "grant_type=client_credentials"
+            + "&client_id=" + clientId
+            + "&client_secret=" + clientSecret
+            + "&scope=" + encodedScope;
         return HttpRequest.BodyPublishers.ofString(formdata, UTF_8);
     }