Gjør lokal tilgangsbeslutning PepImpl uavhengig av cluster

navikt · Apr 25, 2023 · d258abe · d258abe
1 parent 2dbfd41
commit d258abe
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 8 deletions.
diff --git a/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/PepImpl.java b/felles/abac/src/main/java/no/nav/vedtak/sikkerhet/abac/PepImpl.java
@@ -9,6 +9,7 @@
 import javax.enterprise.inject.Default;
 import javax.inject.Inject;
 
+import no.nav.foreldrepenger.konfig.Cluster;
 import no.nav.foreldrepenger.konfig.Environment;
 import no.nav.foreldrepenger.konfig.KonfigVerdi;
 import no.nav.vedtak.sikkerhet.abac.beskyttet.AvailabilityType;
@@ -31,7 +32,6 @@ public class PepImpl implements Pep {
     private Set<String> pipUsers;
     private TokenProvider tokenProvider;
     private String preAuthorized;
-    private String residentClusterNamespace;
 
     public PepImpl() {
     }
@@ -46,7 +46,6 @@ public PepImpl(PdpKlient pdpKlient,
         this.tokenProvider = tokenProvider;
         this.pipUsers = konfigurePipUsers(pipUsers);
         this.preAuthorized = ENV.getProperty(AzureProperty.AZURE_APP_PRE_AUTHORIZED_APPS.name()); // eg json array av objekt("name", "clientId")
-        this.residentClusterNamespace = ENV.clusterName() + ":" + ENV.namespace();
     }
 
     protected Set<String> konfigurePipUsers(String pipUsers) {
@@ -84,12 +83,26 @@ private boolean harTilgang(BeskyttetRessursAttributter attributter) {
         if (consumer == null || !preAuthorized.contains(consumer)) {
             return false;
         }
-        if (consumer.startsWith(residentClusterNamespace) || builder.internAzureConsumer(consumer)) {
+
+        if (erISammeKlusterKlasseOgNamespace(consumer) || builder.internAzureConsumer(consumer)) {
             return true;
         }
         return AvailabilityType.ALL.equals(attributter.getAvailabilityType());
     }
 
+    private boolean erISammeKlusterKlasseOgNamespace(String consumer) {
+        try {
+            var elementer = consumer.split(":");
+            var consumerCluster = elementer[0];
+            var consumerNamespace = elementer[1];
+            return ENV.getCluster().isSameClass(Cluster.of(consumerCluster)) && ENV.namespace().equals(consumerNamespace);
+        } catch (Exception e) {
+            return false;
+        }
+
+
+    }
+
     protected Tilgangsbeslutning vurderTilgangTilPipTjeneste(BeskyttetRessursAttributter beskyttetRessursAttributter, AppRessursData appRessursData) {
         String uid = tokenProvider.getUid();
         if (pipUsers.contains(uid.toLowerCase())) {

diff --git a/felles/abac/src/test/java/no/nav/vedtak/sikkerhet/abac/PepImplTest.java b/felles/abac/src/test/java/no/nav/vedtak/sikkerhet/abac/PepImplTest.java
@@ -46,7 +46,7 @@ class PepImplTest {
 
     @BeforeAll
     static void initEnv() {
-        System.setProperty(AzureProperty.AZURE_APP_PRE_AUTHORIZED_APPS.name(), LOCAL_APP + ", local:annetnamespace:eksternapplication");
+        System.setProperty(AzureProperty.AZURE_APP_PRE_AUTHORIZED_APPS.name(), LOCAL_APP + ", vtp:annetnamespace:eksternapplication");
     }
 
     @AfterAll
@@ -99,8 +99,8 @@ void skal_gi_tilgang_for_intern_azure_cc() {
     @Test
     void skal_gi_avslag_for_ekstern_azure_cc() {
         var token = new OpenIDToken(OpenIDProvider.AZUREAD, new TokenString("token"));
-        when(tokenProvider.getUid()).thenReturn("local:annetnamespace:ukjentapplication");
-        var attributter = lagBeskyttetRessursAttributterAzure(AvailabilityType.INTERNAL, token, "local:annetnamespace:ukjentapplication",
+        when(tokenProvider.getUid()).thenReturn("vtp:annetnamespace:ukjentapplication");
+        var attributter = lagBeskyttetRessursAttributterAzure(AvailabilityType.INTERNAL, token, "vtp:annetnamespace:ukjentapplication",
             IdentType.Systemressurs);
 
         when(pdpRequestBuilder.lagAppRessursData(any())).thenReturn(AppRessursData.builder().build());
@@ -113,8 +113,8 @@ void skal_gi_avslag_for_ekstern_azure_cc() {
     @Test
     void skal_gi_tilgang_for_godkjent_ekstern_azure_cc() {
         var token = new OpenIDToken(OpenIDProvider.AZUREAD, new TokenString("token"));
-        when(tokenProvider.getUid()).thenReturn("local:annetnamespace:eksternapplication");
-        var attributter = lagBeskyttetRessursAttributterAzure(AvailabilityType.ALL, token, "local:annetnamespace:eksternapplication",
+        when(tokenProvider.getUid()).thenReturn("vtp:annetnamespace:eksternapplication");
+        var attributter = lagBeskyttetRessursAttributterAzure(AvailabilityType.ALL, token, "vtp:annetnamespace:eksternapplication",
             IdentType.Systemressurs);
 
         when(pdpRequestBuilder.lagAppRessursData(any())).thenReturn(AppRessursData.builder().build());