Merge pull request #1332 from navikt/feature/mottaksadresse-v2

Feature/mottaksadresse v2

Author: magnurh-cx

.nais/bygger/nais.yaml

@@ -52,23 +52,29 @@ spec:
       value: http://formio-api
     - name: FORMIO_PROJECT_NAME
       value: jvcemxwcpghcqjn
+    - name: FORMS_API_URL
+      value: http://forms-api.fyllut-sendinn
     {{#each environmentVars}}
     - name: {{this.name}}
       value: {{this.value}}
     {{/each}}
+    {{#each azure.ad_groups}}
+    - name: "FORMS_API_AD_GROUP_{{this.type}}"
+      value: "{{this.id}}"
+    {{/each }}
   envFrom:
   {{#each secrets as |secret|}}
     - secret: {{secret}}
   {{/each}}
   azure:
     application:
       enabled: true
-      tenant: nav.no
       allowAllUsers: false
       claims:
         groups:
-          - id: 1d12af59-d953-4f85-9f65-d8cbf6672deb
-          - id: 0c0e4023-5fd3-4cfe-8b40-3b98645bb08f
+        {{#each azure.ad_groups}}
+          - id: "{{this.id}}"
+        {{/each}}
         extra:
           - NAVident
     sidecar:
@@ -79,6 +85,8 @@ spec:
   accessPolicy:
     outbound:
       rules:
+        - application: forms-api
+          namespace: fyllut-sendinn
       {{#each accessPolicy.outbound.rules}}
         - application: {{this.application}}
           namespace: {{this.namespace}}

.nais/bygger/preprod-alt.yaml

@@ -35,3 +35,9 @@ environmentVars:
     value: http://formio-enterprise-server
   - name: FORMIO_PROJECT_NAME_PROD
     value: jvcemxwcpghcqjn
+azure:
+  ad_groups:
+    - id: b7012a89-90b9-4215-b7dc-988b929216e9
+      type: USER
+    - id: 5398ed9e-bb41-43f5-9434-120b0116953c
+      type: ADMIN

.nais/bygger/preprod.yaml

@@ -38,3 +38,9 @@ environmentVars:
     value: http://formio-enterprise-server
   - name: FORMIO_PROJECT_NAME_PROD
     value: jvcemxwcpghcqjn
+azure:
+  ad_groups:
+    - id: b7012a89-90b9-4215-b7dc-988b929216e9
+      type: USER
+    - id: 5398ed9e-bb41-43f5-9434-120b0116953c
+      type: ADMIN

.nais/bygger/prod.yaml

@@ -27,3 +27,9 @@ secrets:
   - bygger-pusher
   - github-app-installation
 environmentVars: []
+azure:
+  ad_groups:
+    - id: 1d12af59-d953-4f85-9f65-d8cbf6672deb
+      type: USER
+    - id: 0c0e4023-5fd3-4cfe-8b40-3b98645bb08f
+      type: ADMIN

README.md

@@ -98,6 +98,18 @@ til url til den lokale instansen av innsending-api i miljøvariabelen `SEND_INN_
 
     SEND_INN_HOST=http://127.0.0.1:9064
 
+## Kjøre Bygger lokalt med integrasjon mot forms-api
+
+For kontinuerlig utvikling mot forms-api er det best å hente ned og kjøre https://github.com/navikt/forms-api lokalt.
+Sett miljøvariabelen `FORMS_API_URL` i byggeren sin `.env`-fil til riktig port på localhost. F.eks:
+
+    FORMS_API_URL=http://localhost:8082
+
+Alternativt kan du bruke [azure-token-generator](https://azure-token-generator.intern.dev.nav.no/api/obo?aud=dev-gcp:fyllut-sendinn:forms-api) (krever trygdeetaten-bruker) til å generere et midlertidig access token for å nå forms-api i preprod. Merk at tokenet kun er gyldig en begrenset periode. Legg til følgende miljøvariabler for å få tilgang.
+
+    FORMS_API_URL=https://forms-api.intern.dev.nav.no
+    FORMS_API_ACCESS_TOKEN=<access-token> // Bruk access_token fra responsen til azure-token-generator
+
 ## Teste publisering av skjema på lokal maskin
 
 Byggeren er konfigurert med default-verdier lokalt som sørger for at eventuelle publiseringer blir gjort mot en

packages/bygger-backend/src/config/development.ts

@@ -1,6 +1,7 @@
 import {
   AzureConfig,
   FormioConfig,
+  FormsApiConfig,
   FyllutConfig,
   GithubAppConfig,
   PublishRepoConfig,
@@ -38,6 +39,14 @@ export const devFyllut: Partial<FyllutConfig> = {
   baseUrl: 'https://skjemadelingslenke.ekstern.dev.nav.no/fyllut',
 };
 
+export const devFormsApi: FormsApiConfig = {
+  url: 'https://forms-api.intern.dev.nav.no',
+  adGroups: {
+    user: 'b7012a89-90b9-4215-b7dc-988b929216e9',
+    admin: '5398ed9e-bb41-43f5-9434-120b0116953c',
+  },
+};
+
 export const devPusher: Partial<PusherConfig> = {
   cluster: 'eu',
 };

packages/bygger-backend/src/config/index.ts

@@ -4,6 +4,7 @@ import {
   devAzure,
   devEnabledFeatures,
   devFormio,
+  devFormsApi,
   devFyllut,
   devGithub,
   devGithubApp,
@@ -36,6 +37,8 @@ const optionalEnv = (name: string): string | undefined => {
 };
 
 const naisClusterName = env('NAIS_CLUSTER_NAME') as 'dev-gcp' | 'prod-gcp' | undefined;
+const isProduction = nodeEnv === 'production';
+const isDevelopment = nodeEnv === 'development';
 
 const config: ConfigType = {
   azure: {
@@ -88,6 +91,14 @@ const config: ConfigType = {
     baseUrl: env('FYLLUT_BASE_URL', devFyllut.baseUrl),
     skjemadelingslenkeUrl: 'https://skjemadelingslenke.ekstern.dev.nav.no/fyllut',
   },
+  formsApi: {
+    url: env('FORMS_API_URL', devFormsApi.url),
+    adGroups: {
+      user: env('FORMS_API_AD_GROUP_USER', devFormsApi.adGroups.user),
+      admin: env('FORMS_API_AD_GROUP_ADMIN', devFormsApi.adGroups.admin),
+    },
+    devToken: isDevelopment ? optionalEnv('FORMS_API_ACCESS_TOKEN') : undefined,
+  },
   pusher: {
     cluster: env('PUSHER_CLUSTER', devPusher.cluster),
     key: env('PUSHER_KEY'),
@@ -96,8 +107,8 @@ const config: ConfigType = {
   },
   nodeEnv,
   port: parseInt(process.env.PORT || '8080'),
-  isProduction: nodeEnv === 'production',
-  isDevelopment: nodeEnv === 'development',
+  isProduction,
+  isDevelopment,
   featureToggles: featureUtils.toFeatureToggles(env('ENABLED_FEATURES', devEnabledFeatures)),
   naisClusterName,
   frontendLoggerConfig: configUtils.loadJsonFromEnv('BYGGER_FRONTEND_LOGCONFIG'),

packages/bygger-backend/src/config/types.d.ts

@@ -34,6 +34,15 @@ export type FyllutConfig = {
   skjemadelingslenkeUrl: string;
 };
 
+export type FormsApiConfig = {
+  url: string;
+  adGroups: {
+    user: string;
+    admin: string;
+  };
+  devToken?: string;
+};
+
 export type PusherConfig = {
   cluster: string;
   key: string;
@@ -58,6 +67,7 @@ export type ConfigType = {
   formio: FormioConfig;
   prodFormio?: Pick<FormioConfig, 'apiService' | 'projectName'>;
   fyllut: FyllutConfig;
+  formsApi: FormsApiConfig;
   pusher: PusherConfig;
   githubApp: GithubAppConfig;
   gitSha: string;

packages/bygger-backend/src/middleware/authHandler.ts

@@ -6,7 +6,6 @@ import config from '../config';
 import { logger } from '../logging/logger';
 import { AzureAdTokenPayload, User } from '../types/custom';
 import { getDevUser } from '../util/devUser';
-import { adGroups } from './azureAd';
 
 function toExpiredDateString(exp?: number) {
   if (exp) {
@@ -62,12 +61,13 @@ const authHandler = async (req: Request, res: Response, next: NextFunction) => {
       return res.sendStatus(401);
     }
 
+    const { adGroups } = config.formsApi;
     logger.info(`Validation of jwt token succeeded (expires ${toExpiredDateString(tokenPayload.exp)})`);
     req.getUser = () => ({
       name: tokenPayload.name,
       preferredUsername: tokenPayload.preferred_username,
       NAVident: tokenPayload.NAVident,
-      isAdmin: tokenPayload.groups?.includes(adGroups.ADMINISTRATOR) || false,
+      isAdmin: tokenPayload.groups?.includes(adGroups.admin) || false,
     });
   }
   next();

packages/bygger-backend/src/middleware/azureAd.ts

@@ -1,11 +1,6 @@
 import { RequestHandler } from 'express';
 import { UnauthorizedError } from '../routers/api/helpers/errors';
 
-const adGroups = {
-  USER: '1d12af59-d953-4f85-9f65-d8cbf6672deb',
-  ADMINISTRATOR: '0c0e4023-5fd3-4cfe-8b40-3b98645bb08f',
-};
-
 const adHandlers: RequestHandlers = {
   isAdmin: (req, res, next) => {
     if (req.getUser().isAdmin) {
@@ -20,4 +15,4 @@ type RequestHandlers = {
   [key: string]: RequestHandler;
 };
 
-export { adGroups, adHandlers };
+export { adHandlers };

packages/bygger-backend/src/routers/api/helpers/authHandlers.ts

@@ -0,0 +1,12 @@
+import appConfig from '../../../config';
+import authorizedPublisher from './authorizedPublisher';
+import azureOnBehalfOfTokenHandler from './azureOnBehalfOfTokenHandler';
+
+const { naisClusterName, formsApi } = appConfig;
+
+const authHandlers = {
+  authorizedPublisher,
+  formsApiAuthHandler: azureOnBehalfOfTokenHandler(`${naisClusterName}.fyllut-sendinn.forms-api`, formsApi.devToken),
+};
+
+export default authHandlers;

packages/bygger-backend/src/routers/api/helpers/azureOnBehalfOfTokenHandler.ts

@@ -0,0 +1,50 @@
+import { NextFunction, Request, Response } from 'express';
+import qs from 'qs';
+import config from '../../../config';
+import { fetchWithErrorHandling } from '../../../fetchUtils';
+import { logger } from '../../../logging/logger';
+import { UnauthorizedError } from './errors';
+
+const { azure, isDevelopment } = config;
+
+const azureOnBehalfOfTokenHandler =
+  (scope: string, devToken?: string) => async (req: Request, res: Response, next: NextFunction) => {
+    const accessToken = req.get('Authorization')?.replace('Bearer ', '');
+
+    if (isDevelopment) {
+      if (devToken) {
+        req.headers.AzureAccessToken = devToken;
+        logger.info('Using pre-generated access token to fetch');
+      } else {
+        logger.info(`Skipping Azure access token fetch (scope='${scope}')`);
+      }
+      return next();
+    }
+
+    try {
+      const response = await fetchWithErrorHandling(azure.openidTokenEndpoint, {
+        headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+        method: 'POST',
+        body: qs.stringify({
+          assertion: accessToken,
+          client_id: azure.clientId,
+          client_secret: azure.clientSecret,
+          grant_type: 'urn:ietf:params:oauth:grant-type:jwt-bearer',
+          requested_token_use: 'on_behalf_of',
+          scope: `api://${scope}/.default`,
+        }),
+      });
+      req.headers.AzureAccessToken = (response.data as any).access_token;
+      next();
+    } catch (error: any) {
+      if (error.http_response_body) {
+        next(new UnauthorizedError(`Access token failed with: ${JSON.stringify(error.http_response_body)}`));
+      } else {
+        next(new UnauthorizedError(`Access token failed with: ${JSON.stringify(error)}`));
+      }
+
+      next(error);
+    }
+  };
+
+export default azureOnBehalfOfTokenHandler;

packages/bygger-backend/src/routers/api/index.ts

@@ -9,7 +9,7 @@ import formDiff from './formDiff';
 import formsRouter from './forms';
 import globalTranslationsRouter from './global-translations';
 import apiErrorHandler from './helpers/apiErrorHandler';
-import authorizedPublisher from './helpers/authorizedPublisher';
+import authHandlers from './helpers/authHandlers';
 import importRouter from './import';
 import log from './log';
 import migrate from './migrate';
@@ -19,11 +19,13 @@ import publishForm from './publish-form';
 import publishForms from './publish-forms';
 import publishResource from './publish-resource';
 import publishedForms from './published-forms';
+import recipientsRouter from './recipients';
 import reportsRouter from './reports';
 import temakoder from './temakoder';
 import unpublishForm from './unpublish-form';
 
 const apiRouter = express.Router();
+const { authorizedPublisher, formsApiAuthHandler } = authHandlers;
 
 apiRouter.get('/config', config);
 apiRouter.put('/publish/:formPath', authorizedPublisher, deprecatedPublishForm);
@@ -42,6 +44,7 @@ apiRouter.get('/migrate/preview/:formPath', migratePreview);
 apiRouter.post('/migrate/update', authorizedPublisher, migrateUpdate);
 apiRouter.get('/form/:formPath/diff', formDiff);
 apiRouter.use('/forms', formsRouter);
+apiRouter.use('/recipients', formsApiAuthHandler, recipientsRouter);
 apiRouter.use('/import', importRouter);
 apiRouter.use('/global-translations', authorizedPublisher, globalTranslationsRouter);
 apiRouter.post('/log/:level', rateLimiter(60000, 60), log);

packages/bygger-backend/src/routers/api/recipients/index.ts

@@ -0,0 +1,12 @@
+import { Router } from 'express';
+import recipients from './recipients';
+
+const recipientsRouter = Router();
+
+recipientsRouter.get('/', recipients.getAll);
+recipientsRouter.get('/:recipientId', recipients.get);
+recipientsRouter.post('/', recipients.post);
+recipientsRouter.put('/:recipientId', recipients.put);
+recipientsRouter.delete('/:recipientId', recipients.deleteRecipient);
+
+export default recipientsRouter;

packages/bygger-backend/src/routers/api/recipients/recipients.ts

@@ -0,0 +1,62 @@
+import { RequestHandler } from 'express';
+import { recipientService } from '../../../services';
+
+const getAll: RequestHandler = async (req, res, next) => {
+  try {
+    const allRecipients = await recipientService.getAll();
+    res.json(allRecipients);
+  } catch (error) {
+    next(error);
+  }
+};
+
+const get: RequestHandler = async (req, res, next) => {
+  try {
+    const { recipientId } = req.params;
+    const recipient = await recipientService.get(recipientId);
+    res.json(recipient);
+  } catch (error) {
+    next(error);
+  }
+};
+
+const post: RequestHandler = async (req, res, next) => {
+  const accessToken = req.headers.AzureAccessToken as string;
+  try {
+    const recipient = await recipientService.post(req.body, accessToken);
+    res.status(201).json(recipient);
+  } catch (error) {
+    next(error);
+  }
+};
+
+const put: RequestHandler = async (req, res, next) => {
+  const { recipientId } = req.params;
+  const accessToken = req.headers.AzureAccessToken as string;
+  try {
+    const recipient = await recipientService.put(recipientId, req.body, accessToken);
+    res.json(recipient);
+  } catch (error) {
+    next(error);
+  }
+};
+
+const deleteRecipient: RequestHandler = async (req, res, next) => {
+  const { recipientId } = req.params;
+  const accessToken = req.headers.AzureAccessToken as string;
+  try {
+    await recipientService.delete(recipientId, accessToken);
+    res.status(204).send();
+  } catch (error) {
+    next(error);
+  }
+};
+
+const recipients = {
+  getAll,
+  get,
+  post,
+  put,
+  deleteRecipient,
+};
+export default recipients;