From c3e909e1095fe3a4908f408428c00ccdd90eb8f5 Mon Sep 17 00:00:00 2001 From: Cato Olsen Date: Thu, 12 Dec 2024 14:14:57 +0100 Subject: [PATCH 1/3] - Collecting all subclasses of ClientCredential in security-core. - Added factory for autoconfiguration of ClientCredential beans. - Added default beans for "test" profile. --- .../profil/service/AzureAdTokenService.java | 5 +- ...cureOAuth2ServerToServerConfiguration.java | 6 -- .../reactivesecurity/domain/AccessScopes.java | 26 ------ .../domain/AzureNavProxyClientCredential.java | 24 ----- .../AzureTrygdeetatenClientCredential.java | 41 --------- .../reactivesecurity/domain/Scopeable.java | 5 - .../azuread/NavAzureAdTokenService.java | 2 +- .../TrygdeetatenAzureAdTokenService.java | 2 +- .../exchange/AzureAdTokenExchange.java | 5 - .../azuread/AzureNavClientCredential.java | 11 +-- .../AzureNavProxyClientCredential.java | 17 ++++ .../AzureTrygdeetatenClientCredential.java | 36 ++++++++ .../domain/azuread/ClientCredential.java | 15 +-- .../azuread/ClientCredentialConfig.java | 91 +++++++++++++++++++ ...itional-spring-configuration-metadata.json | 44 +++++++++ ...ot.autoconfigure.AutoConfiguration.imports | 1 + ...nsecureJwtServerToServerConfiguration.java | 4 +- ...cureOAuth2ServerToServerConfiguration.java | 2 - 18 files changed, 205 insertions(+), 132 deletions(-) delete mode 100644 libs/reactive-security/src/main/java/no/nav/testnav/libs/reactivesecurity/domain/AccessScopes.java delete mode 100644 libs/reactive-security/src/main/java/no/nav/testnav/libs/reactivesecurity/domain/AzureNavProxyClientCredential.java delete mode 100644 libs/reactive-security/src/main/java/no/nav/testnav/libs/reactivesecurity/domain/AzureTrygdeetatenClientCredential.java delete mode 100644 libs/reactive-security/src/main/java/no/nav/testnav/libs/reactivesecurity/domain/Scopeable.java create mode 100644 libs/security-core/src/main/java/no/nav/testnav/libs/securitycore/domain/azuread/AzureNavProxyClientCredential.java create mode 100644 libs/security-core/src/main/java/no/nav/testnav/libs/securitycore/domain/azuread/AzureTrygdeetatenClientCredential.java create mode 100644 libs/security-core/src/main/java/no/nav/testnav/libs/securitycore/domain/azuread/ClientCredentialConfig.java create mode 100644 libs/security-core/src/main/resources/META-INF/additional-spring-configuration-metadata.json create mode 100644 libs/security-core/src/main/resources/META-INF/spring/org.springframework.boot.autoconfigure.AutoConfiguration.imports diff --git a/apps/profil-api/src/main/java/no/nav/registre/testnorge/profil/service/AzureAdTokenService.java b/apps/profil-api/src/main/java/no/nav/registre/testnorge/profil/service/AzureAdTokenService.java index 07cbc158beb..5333a97d46a 100644 --- a/apps/profil-api/src/main/java/no/nav/registre/testnorge/profil/service/AzureAdTokenService.java +++ b/apps/profil-api/src/main/java/no/nav/registre/testnorge/profil/service/AzureAdTokenService.java @@ -1,6 +1,7 @@ package no.nav.registre.testnorge.profil.service; import lombok.extern.slf4j.Slf4j; +import no.nav.testnav.libs.securitycore.domain.azuread.AzureNavClientCredential; import org.springframework.beans.factory.annotation.Value; import org.springframework.http.HttpHeaders; import org.springframework.http.MediaType; @@ -15,15 +16,13 @@ import no.nav.testnav.libs.securitycore.command.azuread.OnBehalfOfExchangeCommand; import no.nav.testnav.libs.securitycore.domain.AccessToken; -import no.nav.testnav.libs.securitycore.domain.azuread.AzureNavClientCredential; -import no.nav.testnav.libs.securitycore.domain.azuread.ClientCredential; import no.nav.testnav.libs.servletsecurity.action.GetAuthenticatedToken; @Slf4j @Service public class AzureAdTokenService { private final WebClient webClient; - private final ClientCredential clientCredential; + private final AzureNavClientCredential clientCredential; private final GetAuthenticatedToken getAuthenticatedToken; public AzureAdTokenService( diff --git a/libs/reactive-security/src/main/java/no/nav/testnav/libs/reactivesecurity/config/SecureOAuth2ServerToServerConfiguration.java b/libs/reactive-security/src/main/java/no/nav/testnav/libs/reactivesecurity/config/SecureOAuth2ServerToServerConfiguration.java index af8a38815fe..68ddf790a06 100644 --- a/libs/reactive-security/src/main/java/no/nav/testnav/libs/reactivesecurity/config/SecureOAuth2ServerToServerConfiguration.java +++ b/libs/reactive-security/src/main/java/no/nav/testnav/libs/reactivesecurity/config/SecureOAuth2ServerToServerConfiguration.java @@ -1,6 +1,5 @@ package no.nav.testnav.libs.reactivesecurity.config; -import no.nav.testnav.libs.reactivesecurity.domain.AzureNavProxyClientCredential; import no.nav.testnav.libs.reactivesecurity.exchange.azuread.NavAzureAdTokenService; import no.nav.testnav.libs.reactivesecurity.properties.TrygdeetatenAzureAdResourceServerProperties; import org.springframework.beans.factory.annotation.Value; @@ -14,7 +13,6 @@ import no.nav.testnav.libs.reactivesecurity.action.GetAuthenticatedResourceServerType; import no.nav.testnav.libs.reactivesecurity.action.GetAuthenticatedToken; import no.nav.testnav.libs.reactivesecurity.action.GetAuthenticatedUserId; -import no.nav.testnav.libs.reactivesecurity.domain.AzureTrygdeetatenClientCredential; import no.nav.testnav.libs.reactivesecurity.exchange.TokenExchange; import no.nav.testnav.libs.reactivesecurity.exchange.azuread.AzureAdTokenService; import no.nav.testnav.libs.reactivesecurity.exchange.azuread.TrygdeetatenAzureAdTokenService; @@ -23,12 +21,10 @@ import no.nav.testnav.libs.reactivesecurity.properties.AzureAdResourceServerProperties; import no.nav.testnav.libs.reactivesecurity.properties.ResourceServerProperties; import no.nav.testnav.libs.reactivesecurity.properties.TokenxResourceServerProperties; -import no.nav.testnav.libs.securitycore.domain.azuread.AzureNavClientCredential; import no.nav.testnav.libs.securitycore.domain.tokenx.TokenXProperties; @Configuration @Import({ - AzureNavClientCredential.class, TokenXService.class, TokenxResourceServerProperties.class, AzureAdResourceServerProperties.class, @@ -39,9 +35,7 @@ GetAuthenticatedResourceServerType.class, GetAuthenticatedToken.class, TokenXProperties.class, - AzureTrygdeetatenClientCredential.class, TrygdeetatenAzureAdTokenService.class, - AzureNavProxyClientCredential.class, NavAzureAdTokenService.class }) public class SecureOAuth2ServerToServerConfiguration { diff --git a/libs/reactive-security/src/main/java/no/nav/testnav/libs/reactivesecurity/domain/AccessScopes.java b/libs/reactive-security/src/main/java/no/nav/testnav/libs/reactivesecurity/domain/AccessScopes.java deleted file mode 100644 index e1a65ddd613..00000000000 --- a/libs/reactive-security/src/main/java/no/nav/testnav/libs/reactivesecurity/domain/AccessScopes.java +++ /dev/null @@ -1,26 +0,0 @@ -package no.nav.testnav.libs.reactivesecurity.domain; - -import java.util.Arrays; -import java.util.Collections; -import java.util.List; - - -public class AccessScopes { - private final List scopes; - - public AccessScopes(List scopes) { - this.scopes = scopes; - } - - public AccessScopes(String... scopes) { - this.scopes = Arrays.asList(scopes); - } - - public AccessScopes(Scopeable scopeable) { - this.scopes = Collections.singletonList(scopeable.toScope()); - } - - public List getScopes() { - return scopes; - } -} diff --git a/libs/reactive-security/src/main/java/no/nav/testnav/libs/reactivesecurity/domain/AzureNavProxyClientCredential.java b/libs/reactive-security/src/main/java/no/nav/testnav/libs/reactivesecurity/domain/AzureNavProxyClientCredential.java deleted file mode 100644 index bd5d322fdeb..00000000000 --- a/libs/reactive-security/src/main/java/no/nav/testnav/libs/reactivesecurity/domain/AzureNavProxyClientCredential.java +++ /dev/null @@ -1,24 +0,0 @@ -package no.nav.testnav.libs.reactivesecurity.domain; - -import lombok.EqualsAndHashCode; -import lombok.Getter; -import org.springframework.beans.factory.annotation.Value; -import org.springframework.context.annotation.Configuration; - -import no.nav.testnav.libs.securitycore.domain.azuread.ClientCredential; - -@Getter -@EqualsAndHashCode(callSuper = false) -@Configuration -public class AzureNavProxyClientCredential extends ClientCredential { - private final String tokenEndpoint; - - public AzureNavProxyClientCredential( - @Value("${AZURE_NAV_OPENID_CONFIG_TOKEN_ENDPOINT:#{null}}") String tokenEndpoint, - @Value("${AZURE_NAV_APP_CLIENT_ID:#{null}}") String clientId, - @Value("${AZURE_NAV_APP_CLIENT_SECRET:#{null}}") String clientSecret - ) { - super(clientId, clientSecret); - this.tokenEndpoint = tokenEndpoint; - } -} diff --git a/libs/reactive-security/src/main/java/no/nav/testnav/libs/reactivesecurity/domain/AzureTrygdeetatenClientCredential.java b/libs/reactive-security/src/main/java/no/nav/testnav/libs/reactivesecurity/domain/AzureTrygdeetatenClientCredential.java deleted file mode 100644 index 5e69f2cccbe..00000000000 --- a/libs/reactive-security/src/main/java/no/nav/testnav/libs/reactivesecurity/domain/AzureTrygdeetatenClientCredential.java +++ /dev/null @@ -1,41 +0,0 @@ -package no.nav.testnav.libs.reactivesecurity.domain; - -import org.springframework.beans.factory.annotation.Value; -import org.springframework.context.annotation.Configuration; - -import java.util.Objects; - -import no.nav.testnav.libs.securitycore.domain.azuread.ClientCredential; - -@Configuration -public class AzureTrygdeetatenClientCredential extends ClientCredential { - private final String tokenEndpoint; - - public AzureTrygdeetatenClientCredential( - @Value("${AZURE_TRYGDEETATEN_OPENID_CONFIG_TOKEN_ENDPOINT:#{null}}") String tokenEndpoint, - @Value("${AZURE_TRYGDEETATEN_APP_CLIENT_ID:#{null}}") String clientId, - @Value("${AZURE_TRYGDEETATEN_APP_CLIENT_SECRET:#{null}}") String clientSecret - ) { - super(clientId, clientSecret); - this.tokenEndpoint = tokenEndpoint; - } - - public String getTokenEndpoint() { - return tokenEndpoint; - } - - - @Override - public boolean equals(Object o) { - if (this == o) return true; - if (o == null || getClass() != o.getClass()) return false; - if (!super.equals(o)) return false; - AzureTrygdeetatenClientCredential that = (AzureTrygdeetatenClientCredential) o; - return Objects.equals(tokenEndpoint, that.tokenEndpoint); - } - - @Override - public int hashCode() { - return Objects.hash(super.hashCode(), tokenEndpoint); - } -} diff --git a/libs/reactive-security/src/main/java/no/nav/testnav/libs/reactivesecurity/domain/Scopeable.java b/libs/reactive-security/src/main/java/no/nav/testnav/libs/reactivesecurity/domain/Scopeable.java deleted file mode 100644 index c901355f115..00000000000 --- a/libs/reactive-security/src/main/java/no/nav/testnav/libs/reactivesecurity/domain/Scopeable.java +++ /dev/null @@ -1,5 +0,0 @@ -package no.nav.testnav.libs.reactivesecurity.domain; - -public interface Scopeable { - String toScope(); -} diff --git a/libs/reactive-security/src/main/java/no/nav/testnav/libs/reactivesecurity/exchange/azuread/NavAzureAdTokenService.java b/libs/reactive-security/src/main/java/no/nav/testnav/libs/reactivesecurity/exchange/azuread/NavAzureAdTokenService.java index 2800db0654c..ae530208416 100644 --- a/libs/reactive-security/src/main/java/no/nav/testnav/libs/reactivesecurity/exchange/azuread/NavAzureAdTokenService.java +++ b/libs/reactive-security/src/main/java/no/nav/testnav/libs/reactivesecurity/exchange/azuread/NavAzureAdTokenService.java @@ -1,7 +1,7 @@ package no.nav.testnav.libs.reactivesecurity.exchange.azuread; import lombok.extern.slf4j.Slf4j; -import no.nav.testnav.libs.reactivesecurity.domain.AzureNavProxyClientCredential; +import no.nav.testnav.libs.securitycore.domain.azuread.AzureNavProxyClientCredential; import org.springframework.beans.factory.annotation.Value; import org.springframework.http.HttpHeaders; import org.springframework.http.MediaType; diff --git a/libs/reactive-security/src/main/java/no/nav/testnav/libs/reactivesecurity/exchange/azuread/TrygdeetatenAzureAdTokenService.java b/libs/reactive-security/src/main/java/no/nav/testnav/libs/reactivesecurity/exchange/azuread/TrygdeetatenAzureAdTokenService.java index c1a8adb73b2..288e3f442a3 100644 --- a/libs/reactive-security/src/main/java/no/nav/testnav/libs/reactivesecurity/exchange/azuread/TrygdeetatenAzureAdTokenService.java +++ b/libs/reactive-security/src/main/java/no/nav/testnav/libs/reactivesecurity/exchange/azuread/TrygdeetatenAzureAdTokenService.java @@ -4,11 +4,11 @@ import lombok.SneakyThrows; import lombok.extern.slf4j.Slf4j; import no.nav.testnav.libs.reactivesecurity.action.GetAuthenticatedUserId; -import no.nav.testnav.libs.reactivesecurity.domain.AzureTrygdeetatenClientCredential; import no.nav.testnav.libs.reactivesecurity.exchange.ExchangeToken; import no.nav.testnav.libs.securitycore.command.azuread.ClientCredentialExchangeCommand; import no.nav.testnav.libs.securitycore.domain.AccessToken; import no.nav.testnav.libs.securitycore.domain.ServerProperties; +import no.nav.testnav.libs.securitycore.domain.azuread.AzureTrygdeetatenClientCredential; import no.nav.testnav.libs.securitycore.domain.azuread.ClientCredential; import org.springframework.beans.factory.annotation.Value; import org.springframework.http.HttpHeaders; diff --git a/libs/reactive-session-security/src/main/java/no/nav/testnav/libs/reactivesessionsecurity/exchange/AzureAdTokenExchange.java b/libs/reactive-session-security/src/main/java/no/nav/testnav/libs/reactivesessionsecurity/exchange/AzureAdTokenExchange.java index 3df7e1c9e9f..7441dd04795 100644 --- a/libs/reactive-session-security/src/main/java/no/nav/testnav/libs/reactivesessionsecurity/exchange/AzureAdTokenExchange.java +++ b/libs/reactive-session-security/src/main/java/no/nav/testnav/libs/reactivesessionsecurity/exchange/AzureAdTokenExchange.java @@ -1,6 +1,5 @@ package no.nav.testnav.libs.reactivesessionsecurity.exchange; -import com.fasterxml.jackson.databind.ObjectMapper; import lombok.extern.slf4j.Slf4j; import no.nav.testnav.libs.reactivesessionsecurity.resolver.TokenResolver; import no.nav.testnav.libs.securitycore.command.azuread.OnBehalfOfExchangeCommand; @@ -9,7 +8,6 @@ import no.nav.testnav.libs.securitycore.domain.azuread.AzureNavClientCredential; import no.nav.testnav.libs.securitycore.domain.azuread.ClientCredential; import org.springframework.beans.factory.annotation.Value; -import org.springframework.context.annotation.Import; import org.springframework.http.HttpHeaders; import org.springframework.http.MediaType; import org.springframework.stereotype.Service; @@ -19,9 +17,6 @@ @Slf4j @Service -@Import({ - AzureNavClientCredential.class -}) public class AzureAdTokenExchange implements ExchangeToken { private final WebClient webClient; private final TokenResolver tokenResolver; diff --git a/libs/security-core/src/main/java/no/nav/testnav/libs/securitycore/domain/azuread/AzureNavClientCredential.java b/libs/security-core/src/main/java/no/nav/testnav/libs/securitycore/domain/azuread/AzureNavClientCredential.java index f7bbf72b012..1f41ec2a33c 100644 --- a/libs/security-core/src/main/java/no/nav/testnav/libs/securitycore/domain/azuread/AzureNavClientCredential.java +++ b/libs/security-core/src/main/java/no/nav/testnav/libs/securitycore/domain/azuread/AzureNavClientCredential.java @@ -1,16 +1,9 @@ package no.nav.testnav.libs.securitycore.domain.azuread; -import org.springframework.beans.factory.annotation.Value; -import org.springframework.context.annotation.Configuration; - -@Configuration public class AzureNavClientCredential extends ClientCredential { - public AzureNavClientCredential( - @Value("${AZURE_APP_CLIENT_ID:#{null}}") String clientId, - @Value("${AZURE_APP_CLIENT_SECRET:#{null}}") String clientSecret - ) { + public AzureNavClientCredential(String clientId, String clientSecret) { super(clientId, clientSecret); } -} +} \ No newline at end of file diff --git a/libs/security-core/src/main/java/no/nav/testnav/libs/securitycore/domain/azuread/AzureNavProxyClientCredential.java b/libs/security-core/src/main/java/no/nav/testnav/libs/securitycore/domain/azuread/AzureNavProxyClientCredential.java new file mode 100644 index 00000000000..4183bc46f87 --- /dev/null +++ b/libs/security-core/src/main/java/no/nav/testnav/libs/securitycore/domain/azuread/AzureNavProxyClientCredential.java @@ -0,0 +1,17 @@ +package no.nav.testnav.libs.securitycore.domain.azuread; + +import lombok.EqualsAndHashCode; +import lombok.Getter; + +@Getter +@EqualsAndHashCode(callSuper = false) +public class AzureNavProxyClientCredential extends ClientCredential { + + private final String tokenEndpoint; + + public AzureNavProxyClientCredential(String tokenEndpoint, String clientId, String clientSecret) { + super(clientId, clientSecret); + this.tokenEndpoint = tokenEndpoint; + } + +} diff --git a/libs/security-core/src/main/java/no/nav/testnav/libs/securitycore/domain/azuread/AzureTrygdeetatenClientCredential.java b/libs/security-core/src/main/java/no/nav/testnav/libs/securitycore/domain/azuread/AzureTrygdeetatenClientCredential.java new file mode 100644 index 00000000000..a68f9fd7c7d --- /dev/null +++ b/libs/security-core/src/main/java/no/nav/testnav/libs/securitycore/domain/azuread/AzureTrygdeetatenClientCredential.java @@ -0,0 +1,36 @@ +package no.nav.testnav.libs.securitycore.domain.azuread; + +import lombok.Getter; + +import java.util.Objects; + +@Getter +public class AzureTrygdeetatenClientCredential extends ClientCredential { + + private final String tokenEndpoint; + + public AzureTrygdeetatenClientCredential(String tokenEndpoint, String clientId, String clientSecret) { + super(clientId, clientSecret); + this.tokenEndpoint = tokenEndpoint; + } + + @Override + public boolean equals(Object o) { + if (this == o) { + return true; + } + if (o == null || getClass() != o.getClass()) { + return false; + } + if (!super.equals(o)) { + return false; + } + return Objects.equals(tokenEndpoint, ((AzureTrygdeetatenClientCredential) o).getTokenEndpoint()); + } + + @Override + public int hashCode() { + return Objects.hash(super.hashCode(), tokenEndpoint); + } + +} diff --git a/libs/security-core/src/main/java/no/nav/testnav/libs/securitycore/domain/azuread/ClientCredential.java b/libs/security-core/src/main/java/no/nav/testnav/libs/securitycore/domain/azuread/ClientCredential.java index c1d621f8bbc..ee7118495ca 100644 --- a/libs/security-core/src/main/java/no/nav/testnav/libs/securitycore/domain/azuread/ClientCredential.java +++ b/libs/security-core/src/main/java/no/nav/testnav/libs/securitycore/domain/azuread/ClientCredential.java @@ -1,17 +1,20 @@ package no.nav.testnav.libs.securitycore.domain.azuread; -import lombok.Data; +import lombok.EqualsAndHashCode; +import lombok.Getter; +import lombok.RequiredArgsConstructor; -@Data +@RequiredArgsConstructor +@Getter +@EqualsAndHashCode public class ClientCredential { + private final String clientId; private final String clientSecret; @Override public final String toString() { - return "ClientCredential{" + - "clientId=[HIDDEN]" + - ", clientSecret=[HIDDEN]" + - '}'; + return "ClientCredential{clientId=[HIDDEN],clientSecret=[HIDDEN]}"; } + } diff --git a/libs/security-core/src/main/java/no/nav/testnav/libs/securitycore/domain/azuread/ClientCredentialConfig.java b/libs/security-core/src/main/java/no/nav/testnav/libs/securitycore/domain/azuread/ClientCredentialConfig.java new file mode 100644 index 00000000000..ff1c03b32be --- /dev/null +++ b/libs/security-core/src/main/java/no/nav/testnav/libs/securitycore/domain/azuread/ClientCredentialConfig.java @@ -0,0 +1,91 @@ +package no.nav.testnav.libs.securitycore.domain.azuread; + +import org.springframework.beans.factory.annotation.Value; +import org.springframework.boot.autoconfigure.condition.*; +import org.springframework.context.annotation.*; +import org.springframework.util.Assert; + +@Configuration +public class ClientCredentialConfig { + + private static final String AZURE_MISSING = "AZURE_APP_CLIENT_ID and AZURE_APP_CLIENT_SECRET must be set"; + private static final String TRYGDEETATEN_MISSING = "AZURE_TRYGDEETATEN_APP_CLIENT_ID and AZURE_TRYGDEETATEN_APP_CLIENT_SECRET must be set"; + private static final String PROXY_MISSING = "AZURE_NAV_APP_CLIENT_ID and AZURE_NAV_APP_CLIENT_SECRET must be set"; + + private static final String TEST_TOKEN_ENDPOINT = "test-token-endpoint"; + private static final String TEST_CLIENT_ID = "test-client-id"; + private static final String TEST_CLIENT_SECRET = "test-client-secret"; + + @Value("${AZURE_APP_CLIENT_ID:#{null}}") + private String azureClientId; + + @Value("${AZURE_APP_CLIENT_SECRET:#{null}}") + private String azureClientSecret; + + @Value("${AZURE_TRYGDEETATEN_APP_CLIENT_ID:#{null}}") + private String trygdeetatenClientId; + + @Value("${AZURE_TRYGDEETATEN_APP_CLIENT_SECRET:#{null}}") + private String trygdeetatenClientSecret; + + @Value("${AZURE_NAV_APP_CLIENT_ID:#{null}}") + private String proxyClientId; + + @Value("${AZURE_NAV_APP_CLIENT_SECRET:#{null}}") + private String proxyClientSecret; + + @Bean("azureNavClientCredential") + @Profile("!test") + @ConditionalOnMissingBean(AzureNavClientCredential.class) + public AzureNavClientCredential azureNavClientCredential() { + Assert.hasLength(azureClientId, AZURE_MISSING); + Assert.hasLength(azureClientSecret, AZURE_MISSING); + return new AzureNavClientCredential(azureClientId, azureClientSecret); + } + + @Bean("azureNavClientCredential") + @Profile("test") + @ConditionalOnMissingBean(AzureNavClientCredential.class) + public AzureNavClientCredential azureNavClientCredentialTest() { + return new AzureNavClientCredential(TEST_CLIENT_ID, TEST_CLIENT_SECRET); + } + + @Bean("azureTrygdeetatenClientCredential") + @Profile("!test") + @ConditionalOnMissingBean(AzureTrygdeetatenClientCredential.class) + @ConditionalOnProperty("AZURE_TRYGDEETATEN_OPENID_CONFIG_TOKEN_ENDPOINT") + public AzureTrygdeetatenClientCredential azureTrygdeetatenClientCredential( + @Value("AZURE_TRYGDEETATEN_OPENID_CONFIG_TOKEN_ENDPOINT") String trygdeetatenTokenEndpoint + ) { + Assert.hasLength(trygdeetatenClientId, TRYGDEETATEN_MISSING); + Assert.hasLength(trygdeetatenClientSecret, TRYGDEETATEN_MISSING); + return new AzureTrygdeetatenClientCredential(trygdeetatenTokenEndpoint, trygdeetatenClientId, trygdeetatenClientSecret); + } + + @Bean("azureTrygdeetatenClientCredential") + @Profile("test") + @ConditionalOnMissingBean(AzureTrygdeetatenClientCredential.class) + public AzureTrygdeetatenClientCredential azureTrygdeetatenClientCredentialTest() { + return new AzureTrygdeetatenClientCredential(TEST_TOKEN_ENDPOINT, TEST_CLIENT_ID, TEST_CLIENT_SECRET); + } + + @Bean("azureNavProxyClientCredential") + @Profile("!test") + @ConditionalOnMissingBean(AzureNavProxyClientCredential.class) + @ConditionalOnProperty("AZURE_NAV_OPENID_CONFIG_TOKEN_ENDPOINT") + public AzureNavProxyClientCredential azureNavProxyClientCredential( + @Value("AZURE_NAV_OPENID_CONFIG_TOKEN_ENDPOINT") String proxyTokenEndpoint + ) { + Assert.hasLength(proxyClientId, PROXY_MISSING); + Assert.hasLength(proxyClientSecret, PROXY_MISSING); + return new AzureNavProxyClientCredential(proxyTokenEndpoint, proxyClientId, proxyClientSecret); + } + + @Bean("azureNavProxyClientCredential") + @Profile("test") + @ConditionalOnMissingBean(AzureNavProxyClientCredential.class) + public AzureNavProxyClientCredential azureNavProxyClientCredentialTest() { + return new AzureNavProxyClientCredential(TEST_TOKEN_ENDPOINT, TEST_CLIENT_ID, TEST_CLIENT_SECRET); + } + +} diff --git a/libs/security-core/src/main/resources/META-INF/additional-spring-configuration-metadata.json b/libs/security-core/src/main/resources/META-INF/additional-spring-configuration-metadata.json new file mode 100644 index 00000000000..cfadac8be64 --- /dev/null +++ b/libs/security-core/src/main/resources/META-INF/additional-spring-configuration-metadata.json @@ -0,0 +1,44 @@ +{ + "properties": [ + { + "name": "AZURE_APP_CLIENT_ID", + "type": "java.lang.String", + "description": "Satt av NAIS i pod. Se ClientCredentialConfig#azureNavClientCredential. Kan erstattes med ${sm://azure-app-client-id} for lokal kjøring." + }, + { + "name": "AZURE_APP_CLIENT_SECRET", + "type": "java.lang.String", + "description": "Satt av NAIS i pod. Se ClientCredentialConfig#azureNavClientCredential. Kan erstattes med ${sm://azure-app-client-secret} for lokal kjøring." + }, + { + "name": "AZURE_TRYGDEETATEN_OPENID_CONFIG_TOKEN_ENDPOINT", + "type": "java.lang.String", + "description": "Satt av NAIS i pod. Hvis satt må også AZURE_TRYGDEETATEN_APP_CLIENT_ID og AZURE_TRYGDEETATEN_APP_CLIENT_SECRET være satt. Se ClientCredentialConfig#azureTrygdeetatenClientCredential." + }, + { + "name": "AZURE_TRYGDEETATEN_APP_CLIENT_ID", + "type": "java.lang.String", + "description": "Satt av NAIS i pod. Se ClientCredentialConfig#azureTrygdeetatenClientCredential." + }, + { + "name": "AZURE_TRYGDEETATEN_APP_CLIENT_SECRET", + "type": "java.lang.String", + "description": "Satt av NAIS i pod. Se ClientCredentialConfig#azureTrygdeetatenClientCredential." + }, + { + "name": "AZURE_NAV_OPENID_CONFIG_TOKEN_ENDPOINT", + "type": "java.lang.String", + "description": "Satt av NAIS i pod. Hvis satt må også AZURE_NAV_APP_CLIENT_ID og AZURE_NAV_APP_CLIENT_SECRET være satt. Se ClientCredentialConfig#azureNavProxyClientCredential." + }, + { + "name": "AZURE_NAV_APP_CLIENT_ID", + "type": "java.lang.String", + "description": "Satt av NAIS i pod. Se ClientCredentialConfig#azureNavProxyClientCredential." + }, + { + "name": "AZURE_NAV_APP_CLIENT_SECRET", + "type": "java.lang.String", + "description": "Satt av NAIS i pod. Se ClientCredentialConfigazureNavProxyClientCredential." + } + ] +} \ No newline at end of file diff --git a/libs/security-core/src/main/resources/META-INF/spring/org.springframework.boot.autoconfigure.AutoConfiguration.imports b/libs/security-core/src/main/resources/META-INF/spring/org.springframework.boot.autoconfigure.AutoConfiguration.imports new file mode 100644 index 00000000000..02691bfa6f3 --- /dev/null +++ b/libs/security-core/src/main/resources/META-INF/spring/org.springframework.boot.autoconfigure.AutoConfiguration.imports @@ -0,0 +1 @@ +no.nav.testnav.libs.securitycore.domain.azuread.ClientCredentialConfig \ No newline at end of file diff --git a/libs/servlet-insecure-security/src/main/java/no/nav/testnav/libs/standalone/servletsecurity/config/InsecureJwtServerToServerConfiguration.java b/libs/servlet-insecure-security/src/main/java/no/nav/testnav/libs/standalone/servletsecurity/config/InsecureJwtServerToServerConfiguration.java index bd9d9a9d193..7f12945ced7 100644 --- a/libs/servlet-insecure-security/src/main/java/no/nav/testnav/libs/standalone/servletsecurity/config/InsecureJwtServerToServerConfiguration.java +++ b/libs/servlet-insecure-security/src/main/java/no/nav/testnav/libs/standalone/servletsecurity/config/InsecureJwtServerToServerConfiguration.java @@ -1,6 +1,5 @@ package no.nav.testnav.libs.standalone.servletsecurity.config; -import no.nav.testnav.libs.securitycore.domain.azuread.AzureNavClientCredential; import no.nav.testnav.libs.standalone.servletsecurity.decoder.MultipleIssuersJwtDecoder; import no.nav.testnav.libs.standalone.servletsecurity.exchange.AzureAdTokenService; import no.nav.testnav.libs.standalone.servletsecurity.exchange.TokenExchange; @@ -20,8 +19,7 @@ TokenXResourceServerProperties.class, AzureAdResourceServerProperties.class, TokenExchange.class, - AzureAdTokenService.class, - AzureNavClientCredential.class + AzureAdTokenService.class }) public class InsecureJwtServerToServerConfiguration { diff --git a/libs/servlet-security/src/main/java/no/nav/testnav/libs/servletsecurity/config/SecureOAuth2ServerToServerConfiguration.java b/libs/servlet-security/src/main/java/no/nav/testnav/libs/servletsecurity/config/SecureOAuth2ServerToServerConfiguration.java index 68477de2205..ffb286d1cfb 100644 --- a/libs/servlet-security/src/main/java/no/nav/testnav/libs/servletsecurity/config/SecureOAuth2ServerToServerConfiguration.java +++ b/libs/servlet-security/src/main/java/no/nav/testnav/libs/servletsecurity/config/SecureOAuth2ServerToServerConfiguration.java @@ -1,6 +1,5 @@ package no.nav.testnav.libs.servletsecurity.config; -import no.nav.testnav.libs.securitycore.domain.azuread.AzureNavClientCredential; import no.nav.testnav.libs.securitycore.domain.tokenx.TokenXProperties; import no.nav.testnav.libs.servletsecurity.action.GetAuthenticatedId; import no.nav.testnav.libs.servletsecurity.action.GetAuthenticatedResourceServerType; @@ -24,7 +23,6 @@ @Configuration @Import({ - AzureNavClientCredential.class, TokenXResourceServerProperties.class, AzureAdResourceServerProperties.class, TokenXService.class, From aa81a41d59b3dd3bb02eea59a1f4c27d4b9b2b0b Mon Sep 17 00:00:00 2001 From: Cato Olsen Date: Fri, 13 Dec 2024 10:45:03 +0100 Subject: [PATCH 2/3] Typo. --- .../META-INF/additional-spring-configuration-metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libs/security-core/src/main/resources/META-INF/additional-spring-configuration-metadata.json b/libs/security-core/src/main/resources/META-INF/additional-spring-configuration-metadata.json index cfadac8be64..87d29dc909d 100644 --- a/libs/security-core/src/main/resources/META-INF/additional-spring-configuration-metadata.json +++ b/libs/security-core/src/main/resources/META-INF/additional-spring-configuration-metadata.json @@ -38,7 +38,7 @@ { "name": "AZURE_NAV_APP_CLIENT_SECRET", "type": "java.lang.String", - "description": "Satt av NAIS i pod. Se ClientCredentialConfigazureNavProxyClientCredential." + "description": "Satt av NAIS i pod. Se ClientCredentialConfig#azureNavProxyClientCredential." } ] } \ No newline at end of file From 4d7400bc2a5ab29ef24a6a775f63b148beb6327f Mon Sep 17 00:00:00 2001 From: Cato Olsen Date: Fri, 13 Dec 2024 14:10:02 +0100 Subject: [PATCH 3/3] Changed constructor visibilities to indicate intention to use factory. --- .../securitycore/domain/azuread/AzureNavClientCredential.java | 2 +- .../domain/azuread/AzureNavProxyClientCredential.java | 2 +- .../domain/azuread/AzureTrygdeetatenClientCredential.java | 2 +- .../libs/securitycore/domain/azuread/ClientCredential.java | 4 +++- 4 files changed, 6 insertions(+), 4 deletions(-) diff --git a/libs/security-core/src/main/java/no/nav/testnav/libs/securitycore/domain/azuread/AzureNavClientCredential.java b/libs/security-core/src/main/java/no/nav/testnav/libs/securitycore/domain/azuread/AzureNavClientCredential.java index 1f41ec2a33c..b6f1f00f38d 100644 --- a/libs/security-core/src/main/java/no/nav/testnav/libs/securitycore/domain/azuread/AzureNavClientCredential.java +++ b/libs/security-core/src/main/java/no/nav/testnav/libs/securitycore/domain/azuread/AzureNavClientCredential.java @@ -2,7 +2,7 @@ public class AzureNavClientCredential extends ClientCredential { - public AzureNavClientCredential(String clientId, String clientSecret) { + AzureNavClientCredential(String clientId, String clientSecret) { super(clientId, clientSecret); } diff --git a/libs/security-core/src/main/java/no/nav/testnav/libs/securitycore/domain/azuread/AzureNavProxyClientCredential.java b/libs/security-core/src/main/java/no/nav/testnav/libs/securitycore/domain/azuread/AzureNavProxyClientCredential.java index 4183bc46f87..a954209f916 100644 --- a/libs/security-core/src/main/java/no/nav/testnav/libs/securitycore/domain/azuread/AzureNavProxyClientCredential.java +++ b/libs/security-core/src/main/java/no/nav/testnav/libs/securitycore/domain/azuread/AzureNavProxyClientCredential.java @@ -9,7 +9,7 @@ public class AzureNavProxyClientCredential extends ClientCredential { private final String tokenEndpoint; - public AzureNavProxyClientCredential(String tokenEndpoint, String clientId, String clientSecret) { + AzureNavProxyClientCredential(String tokenEndpoint, String clientId, String clientSecret) { super(clientId, clientSecret); this.tokenEndpoint = tokenEndpoint; } diff --git a/libs/security-core/src/main/java/no/nav/testnav/libs/securitycore/domain/azuread/AzureTrygdeetatenClientCredential.java b/libs/security-core/src/main/java/no/nav/testnav/libs/securitycore/domain/azuread/AzureTrygdeetatenClientCredential.java index a68f9fd7c7d..bd6249a6f27 100644 --- a/libs/security-core/src/main/java/no/nav/testnav/libs/securitycore/domain/azuread/AzureTrygdeetatenClientCredential.java +++ b/libs/security-core/src/main/java/no/nav/testnav/libs/securitycore/domain/azuread/AzureTrygdeetatenClientCredential.java @@ -9,7 +9,7 @@ public class AzureTrygdeetatenClientCredential extends ClientCredential { private final String tokenEndpoint; - public AzureTrygdeetatenClientCredential(String tokenEndpoint, String clientId, String clientSecret) { + AzureTrygdeetatenClientCredential(String tokenEndpoint, String clientId, String clientSecret) { super(clientId, clientSecret); this.tokenEndpoint = tokenEndpoint; } diff --git a/libs/security-core/src/main/java/no/nav/testnav/libs/securitycore/domain/azuread/ClientCredential.java b/libs/security-core/src/main/java/no/nav/testnav/libs/securitycore/domain/azuread/ClientCredential.java index ee7118495ca..e48a85cb39f 100644 --- a/libs/security-core/src/main/java/no/nav/testnav/libs/securitycore/domain/azuread/ClientCredential.java +++ b/libs/security-core/src/main/java/no/nav/testnav/libs/securitycore/domain/azuread/ClientCredential.java @@ -4,7 +4,9 @@ import lombok.Getter; import lombok.RequiredArgsConstructor; -@RequiredArgsConstructor +import static lombok.AccessLevel.PACKAGE; + +@RequiredArgsConstructor(access = PACKAGE) @Getter @EqualsAndHashCode public class ClientCredential {