Klient for pdl-pip-api

Author: jolarsen

felles/pom.xml

@@ -28,6 +28,7 @@
         <module>abac-kontekst</module>
         <module>auth-filter</module>
         <module>server</module>
+        <module>tilgang</module>
     </modules>
 
     <dependencyManagement>
@@ -52,6 +53,11 @@
                 <artifactId>felles-kontekst</artifactId>
                 <version>${project.version}</version>
             </dependency>
+            <dependency>
+                <groupId>no.nav.foreldrepenger.felles</groupId>
+                <artifactId>felles-tilgang</artifactId>
+                <version>${project.version}</version>
+            </dependency>
             <dependency>
                 <groupId>no.nav.foreldrepenger.felles</groupId>
                 <artifactId>felles-abac</artifactId>

felles/tilgang/pom.xml

@@ -0,0 +1,39 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <parent>
+        <artifactId>felles</artifactId>
+        <groupId>no.nav.foreldrepenger.felles</groupId>
+        <version>0.0.0-SNAPSHOT</version>
+    </parent>
+    <modelVersion>4.0.0</modelVersion>
+
+    <artifactId>felles-tilgang</artifactId>
+    <name>Felles :: Tilgangskontroll</name>
+
+
+    <dependencies>
+        <dependency>
+            <groupId>jakarta.enterprise</groupId>
+            <artifactId>jakarta.enterprise.cdi-api</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>no.nav.foreldrepenger.felles</groupId>
+            <artifactId>felles-oidc</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>jakarta.ws.rs</groupId>
+            <artifactId>jakarta.ws.rs-api</artifactId>
+        </dependency>
+    </dependencies>
+
+
+</project>
+
+
+
+
+
+
+

felles/tilgang/src/main/java/no/nav/vedtak/sikkerhet/tilgang/TilgangPersondata.java

@@ -0,0 +1,14 @@
+package no.nav.vedtak.sikkerhet.tilgang;
+
+import java.util.List;
+import java.util.Map;
+
+public interface TilgangPersondata {
+
+    // ident er aktørId eller personident
+    TilgangPersondataDto hentTilgangPersondata(String ident);
+
+    // identer er aktørId eller personident. Respons er map fra personident til responsobjekt
+    Map<String, TilgangPersondataDto> hentTilgangPersondataBolk(List<String> identer);
+
+}

felles/tilgang/src/main/java/no/nav/vedtak/sikkerhet/tilgang/TilgangPersondataDto.java

@@ -0,0 +1,95 @@
+package no.nav.vedtak.sikkerhet.tilgang;
+
+import java.time.LocalDate;
+import java.util.List;
+import java.util.Optional;
+
+import com.fasterxml.jackson.annotation.JsonEnumDefaultValue;
+
+public record TilgangPersondataDto(String aktoerId, Person person, Identer identer, GeografiskTilknytning geografiskTilknytning) {
+
+    public record Person(List<Adressebeskyttelse> adressebeskyttelse, List<Fødsel> foedsel,
+                         List<Dødsfall> doedsfall, List<Familierelasjoner> familierelasjoner) {
+    }
+
+    public record Adressebeskyttelse(Gradering gradering) { }
+
+    public record Fødsel(LocalDate foedselsdato) { }
+
+    public record Dødsfall(LocalDate doedsdato) { }
+
+    public record Familierelasjoner(String relatertPersonsIdent) { } // FNR
+
+    public record Identer(List<Ident> identer) { }
+
+    public record Ident(String ident, Boolean historisk, IdentGruppe gruppe) { }
+
+    public record GeografiskTilknytning(GtType gtType, String gtKommune, String gtBydel, String gtLand, String regel) { }
+
+    public enum Gradering { STRENGT_FORTROLIG_UTLAND, STRENGT_FORTROLIG, FORTROLIG, @JsonEnumDefaultValue UDEFINERT }
+
+    public enum IdentGruppe { AKTORID, FOLKEREGISTERIDENT, NPID, @JsonEnumDefaultValue UDEFINERT }
+
+    public enum GtType { KOMMUNE, BYDEL, UTLAND, @JsonEnumDefaultValue UDEFINERT }
+
+    public boolean harStrengAdresseBeskyttelse() {
+        return Optional.ofNullable(person()).map(Person::adressebeskyttelse).orElse(List.of()).stream()
+            .map(Adressebeskyttelse::gradering)
+            .anyMatch(g -> Gradering.STRENGT_FORTROLIG.equals(g) || Gradering.STRENGT_FORTROLIG_UTLAND.equals(g));
+    }
+
+    public boolean harAdresseBeskyttelse() {
+        return Optional.ofNullable(person()).map(Person::adressebeskyttelse).orElse(List.of()).stream()
+            .map(Adressebeskyttelse::gradering)
+            .anyMatch(g -> g != null && !Gradering.UDEFINERT.equals(g));
+    }
+
+    public boolean erIkkeMyndig() {
+        return Optional.ofNullable(person()).map(Person::foedsel).orElse(List.of()).stream()
+            .map(Fødsel::foedselsdato)
+            .anyMatch(f -> f == null || f.plusYears(18).isAfter(LocalDate.now()));
+    }
+
+    public String personIdent() {
+        return Optional.ofNullable(identer()).map(Identer::identer).orElse(List.of()).stream()
+            .filter(i -> IdentGruppe.FOLKEREGISTERIDENT.equals(i.gruppe()))
+            .filter(i -> !i.historisk())
+            .map(Ident::ident)
+            .findFirst().orElse(null);
+    }
+
+    public List<String> personIdenter() {
+        return Optional.ofNullable(identer()).map(Identer::identer).orElse(List.of()).stream()
+            .filter(i -> IdentGruppe.FOLKEREGISTERIDENT.equals(i.gruppe()))
+            .map(Ident::ident)
+            .toList();
+    }
+
+    public String aktørId() {
+        return Optional.ofNullable(identer()).map(Identer::identer).orElse(List.of()).stream()
+            .filter(i -> IdentGruppe.AKTORID.equals(i.gruppe()))
+            .filter(i -> !i.historisk())
+            .map(Ident::ident)
+            .findFirst().orElse(null);
+    }
+
+    public List<String> aktørIdMedHistoriske() {
+        return Optional.ofNullable(identer()).map(Identer::identer).orElse(List.of()).stream()
+            .filter(i -> IdentGruppe.AKTORID.equals(i.gruppe()))
+            .map(Ident::ident)
+            .toList();
+    }
+
+    public boolean harNasjonalTilknytning() {
+        return Optional.ofNullable(geografiskTilknytning()).map(GeografiskTilknytning::gtType)
+            .filter(gtt -> GtType.KOMMUNE.equals(gtt) || GtType.BYDEL.equals(gtt))
+            .isPresent();
+    }
+
+    public boolean harIkkeNasjonalTilknytning() {
+        return Optional.ofNullable(geografiskTilknytning()).map(GeografiskTilknytning::gtType)
+            .filter(gtt -> GtType.KOMMUNE.equals(gtt) || GtType.BYDEL.equals(gtt))
+            .isEmpty();
+    }
+
+}

felles/tilgang/src/main/java/no/nav/vedtak/sikkerhet/tilgang/TilgangPersondataKlient.java

@@ -0,0 +1,83 @@
+package no.nav.vedtak.sikkerhet.tilgang;
+
+import java.net.URI;
+import java.net.http.HttpRequest;
+import java.time.Duration;
+import java.util.List;
+import java.util.Map;
+
+import jakarta.enterprise.context.ApplicationScoped;
+import jakarta.inject.Inject;
+import jakarta.ws.rs.core.HttpHeaders;
+import jakarta.ws.rs.core.MediaType;
+import no.nav.foreldrepenger.konfig.KonfigVerdi;
+import no.nav.vedtak.klient.http.DefaultHttpClient;
+import no.nav.vedtak.klient.http.HttpClientRequest;
+import no.nav.vedtak.mapper.json.DefaultJsonMapper;
+import no.nav.vedtak.sikkerhet.oidc.config.OpenIDProvider;
+import no.nav.vedtak.sikkerhet.oidc.token.TokenProvider;
+
+/*
+ * Informasjon fra PDL til bruk kun for tilgangskontroll
+ *
+ * PROD: SD innenfor FSS ellers https pdl-pip-api.intern.nav.no (scope: prod-fss:pdl:pdl-pip-api)
+ * DEV: SD innenfor FSS ellers https pdl-pip-api.dev.intern.nav.no (scope: dev-fss:pdl:pdl-pip-api)
+ */
+@ApplicationScoped
+public class TilgangPersondataKlient implements TilgangPersondata {
+
+    private static final String OIDC_AUTH_HEADER_PREFIX = "Bearer ";
+
+    private static final String BOLK_SUFFIX = "Bolk";
+
+    private URI personURI;
+    private URI personBolkURI;
+    private String personScopes;
+
+
+    TilgangPersondataKlient() {
+    } // CDI
+
+    @Inject
+    public TilgangPersondataKlient(@KonfigVerdi(value = "pdl.pip.endpoint.url", defaultVerdi = "http://pdl-pip-api.pdll/api/v1/person") String pdlPipUrl,
+                                   @KonfigVerdi(value = "pdl.pip.scopes", defaultVerdi = "api://prod-fss:pdl:pdl-pip-api/.default") String pdlPipScopes) {
+        this.personURI = URI.create(pdlPipUrl);
+        this.personBolkURI = URI.create(pdlPipUrl + BOLK_SUFFIX);
+        this.personScopes = pdlPipScopes;
+    }
+
+    @Override
+    public TilgangPersondataDto hentTilgangPersondata(String ident) {
+        var builder = HttpRequest.newBuilder(personURI)
+            .header(HttpHeaders.ACCEPT, MediaType.WILDCARD) // Bruk APPLICATION_JSON ?
+            .header(HttpHeaders.AUTHORIZATION, OIDC_AUTH_HEADER_PREFIX + TokenProvider.getTokenForSystem(OpenIDProvider.AZUREAD, personScopes).token())
+            .header("ident", ident)
+            .timeout(Duration.ofSeconds(5))
+            .GET();
+        var request = new PersondataRequest(builder);
+
+        var response = DefaultHttpClient.client().send(request);
+        return response != null ? DefaultJsonMapper.fromJson(response, TilgangPersondataDto.class) : null;
+    }
+
+    @Override
+    public Map<String, TilgangPersondataDto> hentTilgangPersondataBolk(List<String> identer) {
+        var builder = HttpRequest.newBuilder(personBolkURI)
+            .header(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON)
+            .header(HttpHeaders.ACCEPT, MediaType.WILDCARD) // Bruk APPLICATION_JSON ?
+            .header(HttpHeaders.AUTHORIZATION, OIDC_AUTH_HEADER_PREFIX + TokenProvider.getTokenForSystem(OpenIDProvider.AZUREAD, personScopes).token())
+            .timeout(Duration.ofSeconds(5))
+            .POST(HttpRequest.BodyPublishers.ofString(DefaultJsonMapper.toJson(identer)));
+        var request = new PersondataRequest(builder);
+
+        var response = DefaultHttpClient.client().send(request);
+        return response != null ? DefaultJsonMapper.mapFromJson(response, TilgangPersondataDto.class) : Map.of();
+    }
+
+
+    private static class PersondataRequest extends HttpClientRequest {
+        public PersondataRequest(HttpRequest.Builder builder) {
+            super(builder, Map.of());
+        }
+    }
+}

felles/tilgang/src/main/resources/META-INF/beans.xml

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="https://jakarta.ee/xml/ns/jakartaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:schemaLocation="https://jakarta.ee/xml/ns/jakartaee https://jakarta.ee/xml/ns/jakartaee/beans_3_0.xsd"
+       version="3.0"
+       bean-discovery-mode="annotated">
+</beans>