TokenX endepunkt for personalia

Author: sasoria

build.gradle.kts

@@ -45,6 +45,7 @@ dependencies {
     implementation(TmsKtorTokenSupport.tokendingsExchange)
     implementation(TmsKtorTokenSupport.idportenSidecar)
     implementation(TmsKtorTokenSupport.azureExchange)
+    implementation(TmsKtorTokenSupport.tokenXValidation)
     implementation(Logstash.logbackEncoder)
     implementation(Micrometer.registryPrometheus)
     implementation(Prometheus.common)
@@ -67,6 +68,7 @@ dependencies {
     testImplementation(Jjwt.api)
     testImplementation(Mockk.mockk)
     testImplementation(TmsKtorTokenSupport.idportenSidecarMock)
+    testImplementation(TmsKtorTokenSupport.tokenXValidationMock)
     testImplementation(TmsCommonLib.testutils)
 }
 

nais/dev-gcp/nais.yaml

@@ -43,6 +43,9 @@ spec:
       cpu: "20m"
       memory: 128Mi
   accessPolicy:
+    inbound:
+      rules:
+        - application: tms-min-side-proxy
     outbound:
       external:
         - host: veilarboppfolging.dev-fss-pub.nais.io

nais/prod-gcp/nais.yaml

@@ -41,6 +41,9 @@ spec:
       cpu: "50m"
       memory: 256Mi
   accessPolicy:
+    inbound:
+      rules:
+        - application: tms-min-side-proxy
     outbound:
       external:
         - host: veilarboppfolging.prod-fss-pub.nais.io

src/main/kotlin/no/nav/tms/min/side/proxy/Application.kt

@@ -16,6 +16,7 @@ import io.ktor.server.engine.embeddedServer
 import io.ktor.server.netty.Netty
 import no.nav.tms.common.util.config.StringEnvVar
 import no.nav.tms.min.side.proxy.personalia.NavnFetcher
+import no.nav.tms.min.side.proxy.personalia.PersonaliaFetcher
 import no.nav.tms.token.support.azure.exchange.AzureServiceBuilder
 import no.nav.tms.token.support.tokendings.exchange.TokendingsServiceBuilder
 
@@ -93,6 +94,14 @@ data class AppConfiguration(
         pdlBehandlingsnummer,
         tokendingsService
     )
+
+    val personaliaFetcher = PersonaliaFetcher(
+        httpClient,
+        pdlApiUrl,
+        pdlApiClientId,
+        pdlBehandlingsnummer,
+        tokendingsService
+    )
 }
 
 fun ObjectMapper.jsonConfig() {
@@ -110,6 +119,7 @@ fun ApplicationEngineEnvironmentBuilder.envConfig(appConfig: AppConfiguration) {
             contentFetcher = appConfig.contentFecther,
             externalContentFetcher = appConfig.externalContentFetcher,
             navnFetcher = appConfig.navnFetcher,
+            personaliaFetcher = appConfig.personaliaFetcher,
             unleash = setupUnleash(
                 unleashApiUrl = appConfig.unleashServerApiUrl,
                 unleashApiKey = appConfig.unleashServerApiToken,

src/main/kotlin/no/nav/tms/min/side/proxy/personalia/NavnFetcher.kt

@@ -78,7 +78,7 @@ class NavnFetcher(
 
 class HentNavnException(message: String, cause: Exception? = null): Exception(message, cause)
 
-private class HentNavn(ident: String) {
+class HentNavn(ident: String) {
     val query = """
         query(${'$'}ident: ID!) {
             hentPerson(ident: ${'$'}ident) {
@@ -102,7 +102,7 @@ fun String.compactJson(): String =
         .replace("\n", " ")
         .replace("\\s+".toRegex(), " ")
 
-private data class HentNavnResponse(
+data class HentNavnResponse(
     val data: HentNavnData?,
     val errors: List<Map<String, Any>>?
 ) {

src/main/kotlin/no/nav/tms/min/side/proxy/personalia/PersonaliaFetcher.kt

@@ -0,0 +1,78 @@
+package no.nav.tms.min.side.proxy.personalia
+
+import com.github.benmanes.caffeine.cache.Caffeine
+import io.github.oshai.kotlinlogging.KotlinLogging
+import io.ktor.client.*
+import io.ktor.client.call.*
+import io.ktor.client.request.*
+import io.ktor.http.*
+import kotlinx.coroutines.Dispatchers
+import kotlinx.coroutines.runBlocking
+import no.nav.tms.token.support.tokendings.exchange.TokendingsService
+import no.nav.tms.token.support.tokenx.validation.user.TokenXUser
+import java.time.Duration
+
+class PersonaliaFetcher(
+    private val client: HttpClient,
+    private val pdlUrl: String,
+    private val pdlClientId: String,
+    private val pdlBehandlingsnummer: String,
+    private val tokendingsService: TokendingsService
+) {
+
+    private val cache = Caffeine.newBuilder()
+        .maximumSize(10000)
+        .expireAfterWrite(Duration.ofMinutes(5))
+        .build<String, String>()
+
+    private val log = KotlinLogging.logger {}
+    private val securelog = KotlinLogging.logger("secureLog")
+
+    fun getNavn(user: TokenXUser): String {
+        return cache.get(user.ident) {
+            fetchNavn(user)
+        }
+    }
+
+    private fun fetchNavn(user: TokenXUser): String = runBlocking(Dispatchers.IO) {
+        tokendingsService.exchangeToken(user.tokenString, pdlClientId)
+            .let { token -> queryForNavn(user.ident, token) }
+            .let { response -> checkForErrors(response) }
+            .hentPerson.fullnavn
+    }
+
+    private suspend fun queryForNavn(ident: String, token: String): HentNavnResponse {
+        val response = client.post {
+            url(pdlUrl)
+            header(HttpHeaders.Authorization, "Bearer $token")
+            header("Behandlingsnummer", pdlBehandlingsnummer)
+            header("Tema", "GEN")
+            contentType(ContentType.Application.Json)
+            setBody(HentNavn(ident))
+        }
+
+        if (!response.status.isSuccess()) {
+            throw HentNavnException("Fikk http-feil fra PDL")
+        }
+
+        return try {
+            response.body()
+        } catch (e: Exception) {
+            securelog.error(e) { "Klarer ikke tolke svar fra PDL." }
+            throw HentNavnException("Klarte ikke tolke svar fra PDL", e)
+        }
+    }
+
+    private fun checkForErrors(response: HentNavnResponse): HentNavnResponse.HentNavnData {
+
+        response.errors?.let { errors ->
+            if (errors.isNotEmpty()) {
+                log.warn { "Feil i GraphQL-responsen: $errors" }
+                throw HentNavnException("Feil i responsen under henting av navn")
+            }
+        }
+
+        return response.data?: throw HentNavnException("Ingen data i graphql-svar.")
+    }
+}
+

src/main/kotlin/no/nav/tms/min/side/proxy/personalia/navnRoutes.kt

@@ -26,10 +26,10 @@ fun Route.navnRoutes(navnFetcher: NavnFetcher) {
     }
 }
 
-private data class Navn(val navn: String)
-private data class Ident(val ident: String)
+data class Navn(val navn: String)
+data class Ident(val ident: String)
 
-private data class NavnAndIdent(
+data class NavnAndIdent(
     val navn: String?,
     val ident: String
 )

src/main/kotlin/no/nav/tms/min/side/proxy/personalia/personaliaRoutes.kt

@@ -0,0 +1,21 @@
+package no.nav.tms.min.side.proxy.personalia
+
+import io.ktor.server.application.*
+import io.ktor.server.response.*
+import io.ktor.server.routing.*
+import io.ktor.util.pipeline.*
+import no.nav.tms.token.support.tokenx.validation.user.TokenXUserFactory
+
+fun Route.personaliaRoutes(personaliaFetcher: PersonaliaFetcher) {
+    get("/personalia") {
+        try {
+            personaliaFetcher.getNavn(user)
+                .let { navn -> call.respond(NavnAndIdent(navn, user.ident)) }
+        } catch (e: HentNavnException) {
+            call.respond(NavnAndIdent(navn = null, ident = user.ident))
+        }
+    }
+}
+
+private val PipelineContext<Unit, ApplicationCall>.user
+    get() = TokenXUserFactory.createTokenXUser(call)

src/main/kotlin/no/nav/tms/min/side/proxy/proxyApi.kt

@@ -18,13 +18,13 @@ import io.micrometer.prometheus.PrometheusMeterRegistry
 import io.github.oshai.kotlinlogging.KotlinLogging
 import io.ktor.serialization.jackson.*
 import no.nav.tms.common.metrics.installTmsMicrometerMetrics
-import no.nav.tms.min.side.proxy.personalia.HentNavnException
-import no.nav.tms.min.side.proxy.personalia.NavnFetcher
-import no.nav.tms.min.side.proxy.personalia.navnRoutes
 import no.nav.tms.token.support.idporten.sidecar.IdPortenLogin
 import no.nav.tms.token.support.idporten.sidecar.LevelOfAssurance.SUBSTANTIAL
 import no.nav.tms.token.support.idporten.sidecar.idPorten
 import no.nav.tms.common.observability.ApiMdc
+import no.nav.tms.min.side.proxy.personalia.*
+import no.nav.tms.token.support.tokenx.validation.TokenXAuthenticator
+import no.nav.tms.token.support.tokenx.validation.tokenX
 
 private val log = KotlinLogging.logger {}
 private val securelog = KotlinLogging.logger("secureLog")
@@ -34,15 +34,26 @@ fun Application.proxyApi(
     contentFetcher: ContentFetcher,
     externalContentFetcher: ExternalContentFetcher,
     navnFetcher: NavnFetcher,
+    personaliaFetcher: PersonaliaFetcher,
     idportenAuthInstaller: Application.() -> Unit = {
         authentication {
             idPorten {
                 setAsDefault = true
                 levelOfAssurance = SUBSTANTIAL
             }
+            tokenX {
+                setAsDefault = false
+            }
         }
         install(IdPortenLogin)
     },
+    tokenXAuthInstaller: Application.() -> Unit = {
+        authentication {
+            tokenX {
+                setAsDefault = false
+            }
+        }
+    },
     unleash: Unleash
 ) {
     val collectorRegistry = PrometheusMeterRegistry(PrometheusConfig.DEFAULT)
@@ -86,6 +97,7 @@ fun Application.proxyApi(
     }
 
     idportenAuthInstaller()
+    tokenXAuthInstaller()
 
     installTmsMicrometerMetrics {
         installMicrometerPlugin = true
@@ -120,6 +132,9 @@ fun Application.proxyApi(
                 )
             }
         }
+        authenticate(TokenXAuthenticator.name) {
+            personaliaRoutes(personaliaFetcher)
+        }
     }
 
     configureShutdownHook(contentFetcher)

src/test/kotlin/no/nav/tms/min/side/proxy/GetRoutesTest.kt

@@ -49,7 +49,8 @@ class GetRoutesTest {
         mockApi(
             contentFetcher = contentFecther(proxyHttpClient),
             externalContentFetcher = externalContentFetcher(proxyHttpClient),
-            navnFetcher = mockk()
+            navnFetcher = mockk(),
+            personaliaFetcher = mockk()
         )
 
         initExternalServices(
@@ -96,7 +97,8 @@ class GetRoutesTest {
         mockApi(
             contentFetcher = contentFecther(proxyHttpClient),
             externalContentFetcher = externalContentFetcher(proxyHttpClient),
-            navnFetcher = mockk()
+            navnFetcher = mockk(),
+            personaliaFetcher = mockk()
         )
 
         initExternalServices(
@@ -129,7 +131,8 @@ class GetRoutesTest {
         mockApi(
             contentFetcher = contentFecther(proxyHttpClient),
             externalContentFetcher = externalContentFetcher(proxyHttpClient),
-            navnFetcher = mockk()
+            navnFetcher = mockk(),
+            personaliaFetcher = mockk()
         )
 
         client.get("/internal/isAlive").status shouldBe HttpStatusCode.OK
@@ -148,7 +151,8 @@ class GetRoutesTest {
             contentFetcher = contentFecther(proxyHttpClient),
             externalContentFetcher = externalContentFetcher(proxyHttpClient),
             unleash = unleash,
-            navnFetcher = mockk()
+            navnFetcher = mockk(),
+            personaliaFetcher = mockk()
         )
 
         client.get("/featuretoggles").assert {
@@ -159,7 +163,12 @@ class GetRoutesTest {
 
     @Test
     fun authPing() = testApplication {
-        mockApi(contentFetcher = mockk(), externalContentFetcher = mockk(), navnFetcher = mockk())
+        mockApi(
+            contentFetcher = mockk(),
+            externalContentFetcher = mockk(),
+            navnFetcher = mockk(),
+            personaliaFetcher = mockk()
+        )
         client.get("/authPing").status shouldBe HttpStatusCode.OK
     }
 
@@ -170,6 +179,7 @@ class GetRoutesTest {
                 contentFetcher = mockk(),
                 externalContentFetcher = mockk(),
                 navnFetcher = mockk(),
+                personaliaFetcher = mockk(),
                 levelOfAssurance = LevelOfAssurance.SUBSTANTIAL
             )
 

src/test/kotlin/no/nav/tms/min/side/proxy/PostRoutesTest.kt

@@ -21,7 +21,8 @@ class PostRoutesTest {
         mockApi(
             contentFetcher = contentFecther(proxyHttpClient),
             externalContentFetcher = externalContentFetcher(proxyHttpClient),
-            navnFetcher = mockk()
+            navnFetcher = mockk(),
+            personaliaFetcher = mockk()
         )
 
         initExternalServices(