Idporten autentisering

build.gradle.kts

@@ -33,21 +33,23 @@ dependencies {
     implementation(Ktor2.Server.defaultHeaders)
     implementation(Ktor2.Server.cors)
     implementation(TmsKtorTokenSupport.tokenXValidation)
+    implementation(TmsKtorTokenSupport.idportenSidecar)
     implementation(TmsKtorTokenSupport.authenticationInstaller)
     implementation(TmsKtorTokenSupport.tokendingsExchange)
     implementation(KotlinLogging.logging)
     implementation(Logstash.logbackEncoder)
     implementation(Logback.classic)
-    implementation("io.ktor:ktor-server-call-logging:2.1.1")
     implementation(Ktor2.Serialization.kotlinX)
     implementation(Micrometer.registryPrometheus)
+    implementation(Prometheus.logback)
 
     testImplementation(kotlin("test"))
     testImplementation(Kotest.assertionsCore)
     testImplementation(Kotest.runnerJunit5)
     testImplementation(Ktor2.Test.serverTestHost)
-    testImplementation(Ktor2.Test.clientMock)
     implementation(TmsKtorTokenSupport.tokenXValidationMock)
+    implementation(TmsKtorTokenSupport.idportenSidecarMock)
+    implementation(TmsKtorTokenSupport.authenticationInstallerMock)
     testImplementation(Mockk.mockk)
 }
 

nais/dev-gcp/nais.yaml

@@ -8,8 +8,14 @@ metadata:
 spec:
   envFrom:
     - secret: tms-varsel-api-secrets
+  ingresses:
+    - "https://www.intern.dev.nav.no/tms-varsel-api"
   tokenx:
     enabled: true
+  idporten:
+    enabled: true
+    sidecar:
+      enabled: true
   image: {{version}}
   port: 8080
   liveness:
@@ -21,6 +27,8 @@ spec:
   prometheus:
     enabled: true
     path: /tms-varsel-api/metrics
+  secureLogs:
+    enabled: true
   replicas:
     min: 2
     max: 4

nais/prod-gcp/nais.yaml

@@ -8,8 +8,14 @@ metadata:
 spec:
   envFrom:
     - secret: tms-varsel-api-secrets
+  ingresses:
+    - "https://www.nav.no/tms-varsel-api"
   tokenx:
     enabled: true
+  idporten:
+    enabled: true
+    sidecar:
+      enabled: true
   image: {{version}}
   port: 8080
   liveness:
@@ -21,6 +27,8 @@ spec:
   prometheus:
     enabled: true
     path: /tms-varsel-api/metrics
+  secureLogs:
+    enabled: true
   replicas:
     min: 2
     max: 4

src/main/kotlin/no/nav/tms/varsel/api/Application.kt

@@ -15,7 +15,6 @@ fun main() {
     embeddedServer(
         factory = Netty,
         environment = applicationEngineEnvironment {
-            rootPath = "tms-varsel-api"
             module {
                 varselApi(
                     corsAllowedOrigins = environment.corsAllowedOrigins,

src/main/kotlin/no/nav/tms/varsel/api/varsel/varselRoutes.kt

@@ -1,30 +1,32 @@
 package no.nav.tms.varsel.api.varsel
 
 import io.ktor.http.HttpStatusCode
+import io.ktor.server.application.ApplicationCall
 import io.ktor.server.application.call
 import io.ktor.server.response.respond
 import io.ktor.server.routing.Route
 import io.ktor.server.routing.get
+import io.ktor.util.pipeline.PipelineContext
 import kotlinx.serialization.Serializable
-import no.nav.tms.varsel.api.userToken
 
 fun Route.varsel(
-    varselConsumer: VarselConsumer
+    varselConsumer: VarselConsumer,
+    tokenResolver: PipelineContext<Unit, ApplicationCall>.()->String
 ) {
     get("inaktive") {
-        val inaktiveVarsler = varselConsumer.getInaktiveVarsler(userToken)
+        val inaktiveVarsler = varselConsumer.getInaktiveVarsler(tokenResolver())
 
         call.respond(HttpStatusCode.OK, inaktiveVarsler)
     }
 
     get("aktive") {
-        val aktiveVarsler = varselConsumer.getAktiveVarsler(userToken)
+        val aktiveVarsler = varselConsumer.getAktiveVarsler(tokenResolver())
 
         call.respond(HttpStatusCode.OK, aktiveVarsler)
     }
 
     get("antall/aktive") {
-        val antallAktive = varselConsumer.getAktiveVarsler(userToken).let {
+        val antallAktive = varselConsumer.getAktiveVarsler(tokenResolver()).let {
             AntallVarsler(
                 beskjeder = it.beskjeder.size,
                 oppgaver = it.oppgaver.size,

src/main/kotlin/no/nav/tms/varsel/api/varselApi.kt

@@ -1,48 +1,57 @@
 package no.nav.tms.varsel.api
 
-import io.ktor.client.HttpClient
+import io.ktor.client.*
 import io.ktor.http.*
-import io.ktor.serialization.kotlinx.json.json
-import io.ktor.server.application.Application
-import io.ktor.server.application.ApplicationCall
-import io.ktor.server.application.ApplicationStopping
-import io.ktor.server.application.call
-import io.ktor.server.application.install
-import io.ktor.server.auth.authenticate
-import io.ktor.server.metrics.micrometer.MicrometerMetrics
-import io.ktor.server.plugins.contentnegotiation.ContentNegotiation
-import io.ktor.server.plugins.cors.routing.CORS
-import io.ktor.server.plugins.defaultheaders.DefaultHeaders
-import io.ktor.server.plugins.statuspages.StatusPages
+import io.ktor.serialization.kotlinx.json.*
+import io.ktor.server.application.*
+import io.ktor.server.application.hooks.*
+import io.ktor.server.auth.*
+import io.ktor.server.metrics.micrometer.*
+import io.ktor.server.plugins.*
+import io.ktor.server.plugins.contentnegotiation.*
+import io.ktor.server.plugins.cors.routing.*
+import io.ktor.server.plugins.defaultheaders.*
+import io.ktor.server.plugins.statuspages.*
 import io.ktor.server.request.*
 import io.ktor.server.response.*
-import io.ktor.server.routing.routing
-import io.ktor.util.pipeline.PipelineContext
+import io.ktor.server.routing.*
 import io.micrometer.prometheus.PrometheusConfig
 import io.micrometer.prometheus.PrometheusMeterRegistry
 import kotlinx.serialization.json.Json
 import mu.KotlinLogging
-import no.nav.tms.token.support.tokenx.validation.installTokenXAuth
+import no.nav.tms.token.support.authentication.installer.installAuthenticators
+import no.nav.tms.token.support.idporten.sidecar.user.IdportenUserFactory
+import no.nav.tms.token.support.tokendings.exchange.TokenXHeader
+import no.nav.tms.token.support.tokenx.validation.TokenXAuthenticator
 import no.nav.tms.token.support.tokenx.validation.user.TokenXUserFactory
 import no.nav.tms.varsel.api.varsel.VarselConsumer
 import no.nav.tms.varsel.api.varsel.varsel
 
+private const val ROOT_PATH = "/tms-varsel-api"
+
 fun Application.varselApi(
     corsAllowedOrigins: String,
     corsAllowedSchemes: String,
     httpClient: HttpClient,
     varselConsumer: VarselConsumer,
     authInstaller: Application.() -> Unit = {
-        installTokenXAuth {
-            setAsDefault = true
-
+        installAuthenticators {
+            installIdPortenAuth {
+                setAsDefault = true
+                rootPath = ROOT_PATH
+                inheritProjectRootPath = false
+            }
+            installTokenXAuth {
+                setAsDefault = false
+            }
         }
     }
 ) {
     val collectorRegistry = PrometheusMeterRegistry(PrometheusConfig.DEFAULT)
     val securelog = KotlinLogging.logger("secureLog")
 
     install(DefaultHeaders)
+    install(RouteByAuthenticationMethod)
 
     authInstaller()
 
@@ -69,14 +78,33 @@ fun Application.varselApi(
     }
 
     routing {
-        meta(collectorRegistry)
-
-        authenticate {
-            varsel(varselConsumer)
+        route(ROOT_PATH) {
+            meta(collectorRegistry)
+            authenticate {
+                route("/idporten") {
+                    varsel(varselConsumer) { IdportenUserFactory.createIdportenUser(call).tokenString }
+                }
+            }
+            authenticate(TokenXAuthenticator.name) {
+                route("/tokenx") {
+                    varsel(varselConsumer) { TokenXUserFactory.createTokenXUser(call).tokenString }
+                }
+            }
         }
     }
 
     configureShutdownHook(httpClient)
+
+    logRoutes()
+}
+
+private fun Application.logRoutes() {
+    val allRoutes = allRoutes(plugin(Routing))
+    val allRoutesWithMethod = allRoutes.filter { it.selector is HttpMethodRouteSelector }
+    log.info("Application has ${allRoutesWithMethod.size} routes")
+    allRoutesWithMethod.forEach {
+        log.info("route: $it")
+    }
 }
 
 private fun Application.configureShutdownHook(httpClient: HttpClient) {
@@ -85,12 +113,32 @@ private fun Application.configureShutdownHook(httpClient: HttpClient) {
     }
 }
 
-val PipelineContext<Unit, ApplicationCall>.userToken: String
-    get() = TokenXUserFactory.createTokenXUser(call).tokenString
-
 fun jsonConfig(): Json {
     return Json {
         this.ignoreUnknownKeys = true
         this.encodeDefaults = true
     }
-}
+}
+
+val RouteByAuthenticationMethod = createApplicationPlugin(name = "RouteByAuthenticationMethod") {
+    on(CallSetup) { call ->
+        val metaroutes = listOf("/metrics", "/internal/isReady", "/internal/isAlive")
+        val originalUri = call.request.uri
+        if (call.request.headers.contains(TokenXHeader.Authorization)) {
+            call.mutableOriginConnectionPoint.uri = originalUri.withAuthenication("tokenx")
+        } else {
+            if (!metaroutes.any { originalUri.contains(it) })
+                call.mutableOriginConnectionPoint.uri = originalUri.withAuthenication("idporten")
+        }
+    }
+}
+
+private fun String.withAuthenication(autheticationRoute: String) =
+    split("tms-varsel-api")
+        .let {
+            "/tms-varsel-api/$autheticationRoute${it.last()}"
+        }
+
+//DEBU
+
+fun allRoutes(root: Route): List<Route> = listOf(root) + root.children.flatMap { allRoutes(it) }