EE10: Persistence + Flytte tokenvalidering til SAM. Fjerne SubjectHan…

…dler (#1319)

* Flytte tokenvalidering fra Login til SAM. Fjerne SubjectHandler

* Forenkle SAM vs validering litt til

* Videre forenkling

* Rydde litt

* Resten av EE10

felles/auth-filter/src/main/java/no/nav/vedtak/sikkerhet/jaxrs/AuthenticationFilterDelegate.java

@@ -25,9 +25,7 @@
 import no.nav.vedtak.sikkerhet.oidc.token.OpenIDToken;
 import no.nav.vedtak.sikkerhet.oidc.token.TokenString;
 import no.nav.vedtak.sikkerhet.oidc.validator.JwtUtil;
-import no.nav.vedtak.sikkerhet.oidc.validator.OidcTokenValidator;
 import no.nav.vedtak.sikkerhet.oidc.validator.OidcTokenValidatorConfig;
-import no.nav.vedtak.sikkerhet.oidc.validator.OidcTokenValidatorResult;
 
 /**
  * Bruksanvisning inntil alle er over og det evt samles her:
@@ -134,9 +132,6 @@ public static void validerToken(TokenString tokenString) {
         var validateResult = tokenValidator.validate(token.primary());
 
         // Håndter valideringsresultat
-        if (needToRefreshToken(token, validateResult, tokenValidator)) {
-            throw new ValideringsFeil("Token expired");
-        }
         if (validateResult.isValid()) {
             KontekstHolder.setKontekst(RequestKontekst.forRequest(validateResult.subject(), validateResult.compactSubject(),
                 validateResult.identType(), token, validateResult.getGrupper()));
@@ -146,10 +141,6 @@ public static void validerToken(TokenString tokenString) {
         }
     }
 
-    private static boolean needToRefreshToken(OpenIDToken token, OidcTokenValidatorResult validateResult, OidcTokenValidator tokenValidator) {
-        return !validateResult.isValid() && tokenValidator.validateWithoutExpirationTime(token.primary()).isValid();
-    }
-
     private static class TokenFeil extends RuntimeException {
         TokenFeil(String message) {
             super(message);

felles/db/src/main/java/no/nav/vedtak/felles/jpa/DelegatingPersistenceUnitDescriptor.java

@@ -4,18 +4,19 @@
 import java.util.List;
 import java.util.Properties;
 
+import org.hibernate.bytecode.enhance.spi.EnhancementContext;
+import org.hibernate.bytecode.spi.ClassTransformer;
+import org.hibernate.jpa.boot.spi.PersistenceUnitDescriptor;
+
 import jakarta.persistence.SharedCacheMode;
 import jakarta.persistence.ValidationMode;
 import jakarta.persistence.spi.PersistenceUnitTransactionType;
 
-import org.hibernate.bytecode.enhance.spi.EnhancementContext;
-import org.hibernate.jpa.boot.spi.PersistenceUnitDescriptor;
-
 /**
  * Delegerer kall fra en {@link PersistenceUnitDescriptor} til en annen slik at det er enklere å lage en SPI implementasjon baser på Hibernate
  */
 public class DelegatingPersistenceUnitDescriptor implements PersistenceUnitDescriptor {
-    private PersistenceUnitDescriptor persistenceUnitDescriptor;
+    private final PersistenceUnitDescriptor persistenceUnitDescriptor;
 
     public DelegatingPersistenceUnitDescriptor(PersistenceUnitDescriptor persistenceUnitDescriptor) {
         this.persistenceUnitDescriptor = persistenceUnitDescriptor;
@@ -106,4 +107,9 @@ public void pushClassTransformer(EnhancementContext enhancementContext) {
         persistenceUnitDescriptor.pushClassTransformer(enhancementContext);
     }
 
+    @Override
+    public ClassTransformer getClassTransformer() {
+        return persistenceUnitDescriptor.getClassTransformer();
+    }
+
 }

felles/db/src/main/java/no/nav/vedtak/felles/jpa/PersistenceUnitInfoDescriptorAdapter.java

@@ -4,21 +4,25 @@
 import java.util.List;
 import java.util.Properties;
 
+import org.hibernate.bytecode.enhance.spi.EnhancementContext;
+import org.hibernate.bytecode.spi.ClassTransformer;
+import org.hibernate.jpa.boot.spi.PersistenceUnitDescriptor;
+import org.hibernate.jpa.internal.enhance.EnhancingClassTransformerImpl;
+
+import jakarta.persistence.PersistenceException;
 import jakarta.persistence.SharedCacheMode;
 import jakarta.persistence.ValidationMode;
 import jakarta.persistence.spi.PersistenceUnitInfo;
 import jakarta.persistence.spi.PersistenceUnitTransactionType;
 
-import org.hibernate.bytecode.enhance.spi.EnhancementContext;
-import org.hibernate.jpa.boot.spi.PersistenceUnitDescriptor;
-import org.hibernate.jpa.internal.enhance.EnhancingClassTransformerImpl;
-
 /**
  * Bridging calls to PersistenceUnitDescriptor onto a PersistenceUnitInfo implementation.
  */
 class PersistenceUnitInfoDescriptorAdapter implements PersistenceUnitDescriptor {
     private final PersistenceUnitInfo persistenceUnitInfo;
 
+    private ClassTransformer classTransformer;
+
     public PersistenceUnitInfoDescriptorAdapter(PersistenceUnitInfo persistenceUnitInfo) {
         this.persistenceUnitInfo = persistenceUnitInfo;
     }
@@ -105,6 +109,19 @@ public boolean isUseQuotedIdentifiers() {
 
     @Override
     public void pushClassTransformer(EnhancementContext enhancementContext) {
-        persistenceUnitInfo.addTransformer(new EnhancingClassTransformerImpl(enhancementContext));
+        if (this.classTransformer != null) {
+            throw new PersistenceException("Persistence unit [" + this.persistenceUnitInfo.getPersistenceUnitName() + "] can only have a single class transformer.");
+        } else {
+            if (this.persistenceUnitInfo.getNewTempClassLoader() != null) {
+                EnhancingClassTransformerImpl classTransformer = new EnhancingClassTransformerImpl(enhancementContext);
+                this.classTransformer = classTransformer;
+                this.persistenceUnitInfo.addTransformer(classTransformer);
+            }
+        }
+    }
+
+    @Override
+    public ClassTransformer getClassTransformer() {
+        return classTransformer;
     }
 }

felles/kontekst/src/main/java/no/nav/vedtak/sikkerhet/kontekst/KontekstHolder.java

@@ -39,7 +39,6 @@ public static void fjernKontekst() {
             KONTEKST.remove();
         } else {
             LOG.info("FPFELLES KONTEKST allerede fjernet", new Exception("Stracktracegenerator/fjernKontekst"));
-            ;
         }
     }
 

felles/oidc/src/main/java/no/nav/vedtak/sikkerhet/oidc/validator/OidcTokenValidator.java

@@ -87,10 +87,6 @@ private OidcTokenValidator(OpenIDProvider provider, String expectedIssuer, JwksK
     }
 
     public OidcTokenValidatorResult validate(TokenString tokenHolder) {
-        return validate(tokenHolder, allowedClockSkewInSeconds);
-    }
-
-    private OidcTokenValidatorResult validate(TokenString tokenHolder, int allowedClockSkewInSeconds) {
         if (tokenHolder == null || tokenHolder.token() == null) {
             return OidcTokenValidatorResult.invalid("Missing token (token was null)");
         }
@@ -139,10 +135,6 @@ private OidcTokenValidatorResult validate(TokenString tokenHolder, int allowedCl
         }
     }
 
-    public OidcTokenValidatorResult validateWithoutExpirationTime(TokenString tokenHolder) {
-        return validate(tokenHolder, Integer.MAX_VALUE);
-    }
-
     // Validates some of the rules set in OpenID Connect Core 1.0 incorporatin errata set 1,
     // which is not already validated by using JwtConsumer
     private String validateClaims(JwtClaims claims) {

felles/oidc/src/test/java/no/nav/vedtak/sikkerhet/oidc/validator/OidcTokenValidatorTest.java

@@ -3,7 +3,6 @@
 import static java.util.Arrays.asList;
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.junit.jupiter.api.Assertions.assertThrows;
-import static org.junit.jupiter.api.Assertions.assertTrue;
 
 import java.net.URI;
 import java.util.Arrays;
@@ -265,17 +264,6 @@ void skal_ikke_godta_token_som_er_signert_med_feil_sertifikat() {
         assertInvalid(result, "is on or after the Expiration Time");
     }
 
-    @Test
-    void skal_godta_token_som_har_gått_ut_på_tid_i_egen_metode_som_validerer_uten_tid() {
-        var now = NumericDate.now().getValue();
-        var token = new OidcTokenGenerator().withIssuedAt(NumericDate.fromSeconds(now - 3601))
-            .withExpiration(NumericDate.fromSeconds(now - 31))
-            .createHeaderTokenHolder();
-
-        var result = tokenValidator.validateWithoutExpirationTime(token);
-        assertValid(result);
-    }
-
     @Test
     void skal_ikke_godta_å_validere_token_når_det_mangler_konfigurasjon_for_issuer() {
         WellKnownConfigurationHelper.setWellKnownConfig("azureAD", "{}");

felles/sikkerhet/pom.xml

@@ -44,6 +44,11 @@
             <groupId>jakarta.authentication</groupId>
             <artifactId>jakarta.authentication-api</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.eclipse.jetty.ee10</groupId>
+            <artifactId>jetty-ee10-jaspi</artifactId>
+            <scope>provided</scope>
+        </dependency>
         <dependency>
             <groupId>org.eclipse.jetty</groupId>
             <artifactId>jetty-server</artifactId>

felles/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/context/ContextCleaner.java

@@ -1,10 +1,10 @@
 package no.nav.vedtak.sikkerhet.context;
 
-import no.nav.vedtak.sikkerhet.kontekst.KontekstHolder;
-
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import no.nav.vedtak.sikkerhet.kontekst.KontekstHolder;
+
 public class ContextCleaner {
 
     private static final Logger LOG = LoggerFactory.getLogger(ContextCleaner.class);
@@ -18,15 +18,8 @@ public static void enusureCleanContext() {
                 LOG.trace("FPFELLES KONTEKST fjernet i ContextCleaner - burde vært fjernet før");
                 KontekstHolder.fjernKontekst();
             }
-            var subjectHandler = SubjectHandler.getSubjectHandler();
-            var subject = subjectHandler.getSubject();
-            // OBS JettySubjectHandler vil gi ting fra request så lenge den ikke er ferdig rensket i JASPI (etter Listener)
-            if (subject != null) {
-                ((ThreadLocalSubjectHandler) subjectHandler).setSubject(null);
-                LOG.trace("FPFELLES ConClean: subject fjernet fra ThreadLocal");
-            }
         } catch (Exception e) {
-            LOG.trace("FPFELLES ConClean: kunne ikke fjerne subject", e);
+            LOG.trace("FPFELLES ConClean: kunne ikke fjerne kontekst", e);
         }
     }
 }

felles/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/context/SubjectHandler.java

@@ -1,92 +0,0 @@
-package no.nav.vedtak.sikkerhet.context;
-
-import java.util.Objects;
-import java.util.Optional;
-import java.util.Set;
-import java.util.stream.Collectors;
-
-import javax.security.auth.Subject;
-
-import no.nav.vedtak.exception.TekniskException;
-import no.nav.vedtak.sikkerhet.context.containers.ConsumerId;
-import no.nav.vedtak.sikkerhet.context.containers.SluttBruker;
-import no.nav.vedtak.sikkerhet.kontekst.Groups;
-import no.nav.vedtak.sikkerhet.kontekst.IdentType;
-
-public abstract class SubjectHandler {
-    public abstract Subject getSubject();
-
-    public static SubjectHandler getSubjectHandler() {
-        return new JettySubjectHandler();
-    }
-
-    public String getUid() {
-        return getUid(getSubject());
-    }
-
-    public static String getUid(Subject subject) {
-        return Optional.ofNullable(getSluttBruker(subject))
-            .map(SluttBruker::getName)
-            .orElse(null);
-    }
-
-    public SluttBruker getSluttBruker() {
-        return getSluttBruker(getSubject());
-    }
-
-    public static SluttBruker getSluttBruker(Subject subject) {
-        return Optional.ofNullable(subject)
-            .map(s -> s.getPrincipals(SluttBruker.class))
-            .map(SubjectHandler::getTheOnlyOneInSet)
-            .orElse(null);
-    }
-
-    public IdentType getIdentType() {
-        return Optional.ofNullable(getSubject())
-            .map(s -> s.getPrincipals(SluttBruker.class))
-            .map(SubjectHandler::getTheOnlyOneInSet)
-            .map(SluttBruker::getIdentType)
-            .orElse(null);
-    }
-
-    public Set<Groups> getGrupper() {
-        return Optional.ofNullable(getSubject())
-            .map(s -> s.getPrincipals(SluttBruker.class))
-            .map(SubjectHandler::getTheOnlyOneInSet)
-            .map(SluttBruker::getGrupper)
-            .orElse(Set.of());
-    }
-
-    public String getConsumerId() {
-        return getConsumerId(getSubject());
-    }
-
-    public static String getConsumerId(Subject subject) {
-        return Optional.ofNullable(subject)
-            .map(s -> s.getPrincipals(ConsumerId.class))
-            .map(SubjectHandler::getTheOnlyOneInSet)
-            .filter(Objects::nonNull)
-            .map(ConsumerId::getConsumerId)
-            .orElse(null);
-    }
-
-    private static <T> T getTheOnlyOneInSet(Set<T> set) {
-        if (set.isEmpty()) {
-            return null;
-        }
-
-        if (set.size() == 1) {
-            return set.iterator().next();
-        }
-
-        // logging class names to the log to help debug. Cannot log actual objects,
-        // since then ID_tokens may be logged
-        Set<String> classNames = set.stream()
-            .map(Object::getClass)
-            .map(Class::getName)
-            .collect(Collectors.toSet());
-        throw new TekniskException("F-327190",
-            String.format("Forventet ingen eller ett element, men fikk %s elementer av type %s", set.size(), classNames));
-    }
-
-}