Får metrikker over konsumenter og typer token som brukes. (#1341)

navikt · Dec 12, 2023 · 89c95b3 · 89c95b3
1 parent e490c26
commit 89c95b3
Show file tree

Hide file tree

Showing 2 changed files with 46 additions and 3 deletions.
diff --git a/felles/oidc/src/main/java/no/nav/vedtak/sikkerhet/oidc/validator/ConsumerMetric.java b/felles/oidc/src/main/java/no/nav/vedtak/sikkerhet/oidc/validator/ConsumerMetric.java
@@ -0,0 +1,36 @@
+package no.nav.vedtak.sikkerhet.oidc.validator;
+
+import static no.nav.vedtak.log.metrics.MetricsUtil.REGISTRY;
+
+import io.micrometer.core.instrument.Counter;
+import no.nav.vedtak.sikkerhet.kontekst.IdentType;
+import no.nav.vedtak.sikkerhet.oidc.config.OpenIDProvider;
+
+public class ConsumerMetric {
+
+    private static final String FORELDREPENGER_KONSUMENTER = "foreldrepenger.konsumenter";
+
+    private ConsumerMetric() {
+    }
+
+    public static void registrer(String klientNavn, String konsument, OpenIDProvider tokenType, IdentType identType, String acrLevel) {
+        counter(klientNavn, konsument, tokenType, identType, acrLevel).increment();
+    }
+    public static void registrer(String klientNavn, String konsument, OpenIDProvider tokenType, IdentType identType) {
+        counter(klientNavn, konsument, tokenType, identType, null).increment();
+    }
+
+    private static Counter counter(String klientNavn, String konsument, OpenIDProvider tokenType, IdentType identType, String acrLevel) {
+        var counter = Counter.builder(FORELDREPENGER_KONSUMENTER)
+            .tag("klient", klientNavn)
+            .tag("tokenType", tokenType.name())
+            .tag("identYype", identType.name())
+            .tag("konsument", konsument)
+            .description("Konsument og token brukt.");
+
+        if (acrLevel != null) {
+            counter.tag("acrLevel", acrLevel);
+        }
+        return counter.register(REGISTRY);
+    }
+}
diff --git a/felles/oidc/src/main/java/no/nav/vedtak/sikkerhet/oidc/validator/OidcTokenValidator.java b/felles/oidc/src/main/java/no/nav/vedtak/sikkerhet/oidc/validator/OidcTokenValidator.java
@@ -22,6 +22,8 @@
 import no.nav.vedtak.sikkerhet.oidc.jwks.JwtHeader;
 import no.nav.vedtak.sikkerhet.oidc.token.TokenString;
 
+import static no.nav.vedtak.sikkerhet.oidc.validator.ConsumerMetric.registrer;
+
 public class OidcTokenValidator {
 
     private static final Set<String> AUTHENTICATION_LEVEL_ID_PORTEN = Set.of("Level4", "idporten-loa-high"); // Level4 er gammel og utgår ila 2023
@@ -35,7 +37,6 @@ public class OidcTokenValidator {
     private static final String IDTYP = "idtyp";
     private static final String APP = "app";
 
-
     private final OpenIDProvider provider;
     private final String expectedIssuer;
     private final String clientName;
@@ -126,7 +127,9 @@ public OidcTokenValidatorResult validate(TokenString tokenHolder) {
             } else if (OpenIDProvider.TOKENX.equals(provider)) {
                 return validateTokenX(claims, subject);
             } else {
-                return OidcTokenValidatorResult.valid(subject, IdentType.utledIdentType(subject), JwtUtil.getExpirationTimeRaw(claims));
+                var identType = IdentType.utledIdentType(subject);
+                registrer(clientName, subject, provider, identType);
+                return OidcTokenValidatorResult.valid(subject, identType, JwtUtil.getExpirationTimeRaw(claims));
             }
         } catch (InvalidJwtException e) {
             return OidcTokenValidatorResult.invalid(e.toString());
@@ -148,6 +151,7 @@ private String validateClaims(JwtClaims claims) {
     private OidcTokenValidatorResult validateAzure(JwtClaims claims, String subject) {
         if (isAzureClientCredentials(claims, subject)) {
             var brukSubject = Optional.ofNullable(JwtUtil.getStringClaim(claims, AzureProperty.AZP_NAME)).orElse(subject);
+            registrer(clientName, brukSubject, OpenIDProvider.AZUREAD, IdentType.Systemressurs);
             // Ta med bakoverkompatibelt navn ettersom azp_name er ganske langt (tabeller / opprettet_av)
             var sisteKolon = brukSubject.lastIndexOf(':');
             if (sisteKolon >= 0) {
@@ -161,6 +165,7 @@ private OidcTokenValidatorResult validateAzure(JwtClaims claims, String subject)
             }
         } else {
             var brukSubject = Optional.ofNullable(JwtUtil.getStringClaim(claims, AzureProperty.NAV_IDENT)).orElse(subject);
+            registrer(clientName, "Saksbehandler", OpenIDProvider.AZUREAD, IdentType.InternBruker);
             var grupper = Optional.ofNullable(JwtUtil.getStringListClaim(claims, AzureProperty.GRUPPER))
                     .map(arr -> GroupsProvider.instance().getGroupsFrom(arr))
                     .orElse(Set.of());
@@ -175,13 +180,15 @@ private boolean isAzureClientCredentials(JwtClaims claims, String subject) {
     }
 
     private OidcTokenValidatorResult validateTokenX(JwtClaims claims, String subject) {
-        var level4 = Optional.ofNullable(JwtUtil.getStringClaim(claims, ACR))
+        var acrClaim = JwtUtil.getStringClaim(claims, ACR);
+        var level4 = Optional.ofNullable(acrClaim)
             .filter(AUTHENTICATION_LEVEL_ID_PORTEN::contains)
             .isPresent();
         if (!level4) {
             return OidcTokenValidatorResult.invalid("TokenX token ikke på nivå 4");
         }
         var brukSubject = Optional.ofNullable(JwtUtil.getStringClaim(claims, PID)).orElse(subject);
+        registrer(clientName, "Borger", OpenIDProvider.TOKENX, IdentType.EksternBruker, acrClaim);
         return OidcTokenValidatorResult.valid(brukSubject, IdentType.EksternBruker, JwtUtil.getExpirationTimeRaw(claims));
     }