Prøve logge origin + host (#1213)

jolarsen · web-flow · commit 6096117b667b · 2022-11-21T13:44:08.000+01:00
diff --git a/felles/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/jaspic/OidcAuthModule.java b/felles/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/jaspic/OidcAuthModule.java
@@ -36,6 +36,7 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.eclipse.jetty.http.HttpHeader;
 import org.jose4j.jwt.JwtClaims;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -184,7 +185,7 @@ protected AuthStatus oidcLogin(MessageInfo messageInfo, Subject clientSubject, H
             return FAILURE;
         }
         if (OpenIDProvider.ISSO.equals(configuration.get().type())) {
-            LOG.info("OPENAM incoming openam, target {}", request.getRequestURL().toString());
+            loggOpenAm(request, "incoming openam");
         }
 
         var expiresAt = claims.map(JwtUtil::getExpirationTime).orElseGet(() -> Instant.now().plusSeconds(300));
@@ -212,7 +213,6 @@ protected AuthStatus oidcLogin(MessageInfo messageInfo, Subject clientSubject, H
     private Optional<OpenIDToken> refreshCookieTokenVedBehov(HttpServletRequest request, OpenIDToken token, JwtClaims claims) {
         if (OpenIDProvider.ISSO.equals(token.provider()) && openAmTokenProvider.isOpenAmTokenSoonExpired(token) && tokenLocator.isTokenFromCookie(request)
             && Set.of(OidcLogin.LoginResult.SUCCESS, OidcLogin.LoginResult.ID_TOKEN_EXPIRED).contains(OidcLogin.validerToken(token).loginResult())) {
-            LOG.info("OPENAM refresh token");
             return openAmTokenProvider.refreshOpenAmIdToken(token, Optional.ofNullable(claims).map(JwtUtil::getClientName).orElse(null));
         }
         return Optional.empty();
@@ -309,7 +309,7 @@ protected AuthStatus responseUnAuthorized(MessageInfo messageInfo) {
                     || (authorizationHeader != null && authorizationHeader.startsWith(OpenIDToken.OIDC_DEFAULT_TOKEN_TYPE))) {
                 response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Resource is protected, but id token is missing or invalid.");
             } else {
-                LOG.info("OPENAM redirect login pga tom header, target {}", request.getRequestURL().toString());
+                loggOpenAm(request, "redirect login pga tom header");
                 IssoAuthorizationRequestBuilder builder = new IssoAuthorizationRequestBuilder();
                 // TODO (u139158): CSRF attack protection. See RFC-6749 section 10.12 (the
                 // state-cookie containing redirectURL shold be encrypted to avoid tampering)
@@ -323,6 +323,12 @@ protected AuthStatus responseUnAuthorized(MessageInfo messageInfo) {
         return SEND_CONTINUE;
     }
 
+    private void loggOpenAm(HttpServletRequest request, String message) {
+        var origins = Optional.ofNullable(request.getHeader(HttpHeader.ORIGIN.asString())).orElse("")
+            + "host:" + Optional.ofNullable(request.getHeader(HttpHeader.HOST.asString())).orElse("");
+        LOG.info("OPENAM {}, target {} origin {}", message, request.getRequestURL().toString(), origins);
+    }
+
     private String encode(String redirectLocation) {
         return URLEncoder.encode(redirectLocation, StandardCharsets.UTF_8);
     }
