Bugfix/altinn3 tilgang (#3700)

Lagt til proxy for altinn3-tilgang-service i prod, oppdatert endepunkter for Altinn3-tilgang-service, oppdatert dolly-idporten frontend

---------

Co-authored-by: stigus <[email protected]>
Co-authored-by: Cato Olsen <[email protected]>

.github/workflows/integration-tests.yml

@@ -3,7 +3,6 @@ on:
   push:
     paths:
       - 'apps/bruker-service/**'
-      - 'apps/person-organisasjon-tilgang-service/**'
   workflow_dispatch:
 
 jobs:
@@ -14,11 +13,4 @@ jobs:
       working-directory: 'apps/bruker-service/'
       healthcheck: 'http://localhost:8002/internal/isAlive'
     secrets:
-      NAV_TOKEN: ${{ secrets.NAV_TOKEN }}
-  person-organisasjon-tilgang-service:
-    if: github.event.pull_request.draft == false
-    uses: ./.github/workflows/common.integration-test.yml
-    with:
-      working-directory: 'apps/person-organisasjon-tilgang-service/'
-      healthcheck: 'http://localhost:8001/internal/isAlive'
-    secrets: inherit
+      NAV_TOKEN: ${{ secrets.NAV_TOKEN }}

apps/altinn3-tilgang-service/README.md

@@ -10,3 +10,4 @@ Swagger finnes under [/swagger-ui.html](https://testnav-altinn3-tilgang-service.
 ## Lokal kjøring
 * [Generelt.](../../docs/local_general.md)
 * [Secret Manager.](../../docs/local_secretmanager.md)
+* [Database i GCP.](../../docs/gcp_db.md)

apps/altinn3-tilgang-service/build.gradle

@@ -10,6 +10,7 @@ sonarqube {
 }
 
 dependencies {
+    implementation "no.nav.testnav.libs:data-transfer-objects"
     implementation "no.nav.testnav.libs:reactive-core"
     implementation "no.nav.testnav.libs:reactive-security"
 

apps/altinn3-tilgang-service/config.dev.yml

@@ -23,6 +23,7 @@ spec:
       consumes:
         - name: altinn:resourceregistry/accesslist.read
         - name: altinn:resourceregistry/accesslist.write
+        - name: altinn:accessmanagement/authorizedparties.resourceowner
   accessPolicy:
     inbound:
       rules:

apps/altinn3-tilgang-service/config.prod.yml

@@ -23,6 +23,7 @@ spec:
       consumes:
         - name: altinn:resourceregistry/accesslist.read
         - name: altinn:resourceregistry/accesslist.write
+        - name: altinn:accessmanagement/authorizedparties.resourceowner
   accessPolicy:
     inbound:
       rules:

apps/altinn3-tilgang-service/docker-compose.yml

@@ -0,0 +1,18 @@
+services:
+
+  cloud_sql_proxy:
+    image: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.14.2
+    network_mode: host
+    command:
+      - "dolly-dev-ff83:europe-north1:testnav-altinn3-tilgang-local"
+      - "--credentials-file=/application_default_credentials.json"
+      - "--run-connection-test"
+    volumes:
+      - type: bind
+        # Set a variable $DOLLY_APPLICATION_CREDENTIALS. We don't use
+        # GOOGLE_APPLICATION_CREDENTIALS, as this causes an extra step during login.
+        #
+        #  - $HOME/.config/gcloud/application_default_credentials.json for Linux/macOS.
+        #  - $APPDATA/gcloud/application_default_credentials.json for Windows.
+        source: $DOLLY_APPLICATION_CREDENTIALS
+        target: /application_default_credentials.json

apps/altinn3-tilgang-service/settings.gradle

@@ -6,9 +6,9 @@ rootProject.name = 'altinn3-tilgang-service'
 
 includeBuild "../../plugins/java"
 
+includeBuild '../../libs/data-transfer-objects'
 includeBuild '../../libs/reactive-core'
 includeBuild '../../libs/reactive-security'
-includeBuild '../../libs/vault'
 
 develocity {
     buildScan {

apps/altinn3-tilgang-service/src/main/java/no/nav/testnav/altinn3tilgangservice/consumer/altinn/AltinnConsumer.java

@@ -10,8 +10,11 @@
 import no.nav.testnav.altinn3tilgangservice.consumer.altinn.command.CreateAccessListeMemberCommand;
 import no.nav.testnav.altinn3tilgangservice.consumer.altinn.command.DeleteAccessListMemberCommand;
 import no.nav.testnav.altinn3tilgangservice.consumer.altinn.command.GetAccessListMembersCommand;
+import no.nav.testnav.altinn3tilgangservice.consumer.altinn.command.GetAuthorizedPartiesCommand;
 import no.nav.testnav.altinn3tilgangservice.consumer.altinn.command.GetExchangeTokenCommand;
-import no.nav.testnav.altinn3tilgangservice.consumer.altinn.dto.AltinnResponseDTO;
+import no.nav.testnav.altinn3tilgangservice.consumer.altinn.dto.AltinnAccessListResponseDTO;
+import no.nav.testnav.altinn3tilgangservice.consumer.altinn.dto.AltinnAuthorizedPartiesRequestDTO;
+import no.nav.testnav.altinn3tilgangservice.consumer.altinn.dto.AuthorizedPartyDTO;
 import no.nav.testnav.altinn3tilgangservice.consumer.altinn.dto.BrregResponseDTO;
 import no.nav.testnav.altinn3tilgangservice.consumer.altinn.dto.OrganisasjonCreateDTO;
 import no.nav.testnav.altinn3tilgangservice.consumer.altinn.dto.OrganisasjonDeleteDTO;
@@ -25,6 +28,7 @@
 import reactor.core.publisher.Flux;
 import reactor.core.publisher.Mono;
 
+import java.util.Arrays;
 import java.util.List;
 import java.util.Map;
 
@@ -76,7 +80,7 @@ public Flux<Organisasjon> delete(String organisasjonsnummer) {
 
         return Flux.from(getAccessListMembers()
                         .flatMapMany(value -> Flux.fromIterable(value.getData()))
-                        .map(AltinnResponseDTO.AccessListMembershipDTO::getIdentifiers)
+                        .map(AltinnAccessListResponseDTO.AccessListMembershipDTO::getIdentifiers)
                         .collectList()
                         .map(data -> getIdentifier(data, organisasjonsnummer))
                         .map(identifier ->
@@ -106,16 +110,16 @@ public Flux<Organisasjon> create(String organisasjonsnummer) {
                         new OrganisasjonCreateDTO(organisasjonsnummer),
                         altinnConfig).call())
                 .flatMapMany(response ->
-                                isBlank(response.getFeilmelding()) ?
-                        Flux.fromIterable(response.getData())
-                                .map(this::getOrgnummer)
-                                .filter(organisasjonsnummer::equals)
-                                .flatMap(brregConsumer::getEnheter) :
-                        Mono.just(BrregResponseDTO.builder()
-                                .organisasjonsnummer(organisasjonsnummer)
-                                .feilmelding(response.getFeilmelding())
-                                .status(response.getStatus())
-                                .build()))
+                        isBlank(response.getFeilmelding()) ?
+                                Flux.fromIterable(response.getData())
+                                        .map(this::getOrgnummer)
+                                        .filter(organisasjonsnummer::equals)
+                                        .flatMap(brregConsumer::getEnheter) :
+                                Mono.just(BrregResponseDTO.builder()
+                                        .organisasjonsnummer(organisasjonsnummer)
+                                        .feilmelding(response.getFeilmelding())
+                                        .status(response.getStatus())
+                                        .build()))
                 .map(response -> mapperFacade.map(response, Organisasjon.class));
     }
 
@@ -125,7 +129,18 @@ public Flux<Organisasjon> getOrganisasjoner() {
                 .flatMapMany(this::convertToOrganisasjon);
     }
 
-    private Mono<AltinnResponseDTO> getAccessListMembers() {
+    public Flux<AuthorizedPartyDTO> getAuthorizedParties(String ident) {
+
+        return maskinportenConsumer.getAccessToken()
+                .flatMap(this::exchangeToken)
+                .flatMap(exchangeToken -> new GetAuthorizedPartiesCommand(webClient,
+                        new AltinnAuthorizedPartiesRequestDTO(ident),
+                        exchangeToken).call())
+                .map(Arrays::asList)
+                .flatMapIterable(list -> list);
+    }
+
+    private Mono<AltinnAccessListResponseDTO> getAccessListMembers() {
 
         return maskinportenConsumer.getAccessToken()
                 .flatMap(this::exchangeToken)
@@ -135,7 +150,7 @@ private Mono<AltinnResponseDTO> getAccessListMembers() {
                         altinnConfig).call());
     }
 
-    private Flux<Organisasjon> convertToOrganisasjon(AltinnResponseDTO altInnResponse) {
+    private Flux<Organisasjon> convertToOrganisasjon(AltinnAccessListResponseDTO altInnResponse) {
 
         return Flux.fromIterable(altInnResponse.getData())
                 .map(this::getOrgnummer)
@@ -155,7 +170,7 @@ private OrganisasjonDeleteDTO getIdentifier(List<JsonNode> data, String organisa
     }
 
     @SneakyThrows
-    private String getOrgnummer(AltinnResponseDTO.AccessListMembershipDTO data) {
+    private String getOrgnummer(AltinnAccessListResponseDTO.AccessListMembershipDTO data) {
 
         return data.getIdentifiers()
                 .get(ORGANISASJON_ID)

apps/altinn3-tilgang-service/src/main/java/no/nav/testnav/altinn3tilgangservice/consumer/altinn/command/CreateAccessListeMemberCommand.java

@@ -3,7 +3,7 @@
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import no.nav.testnav.altinn3tilgangservice.config.AltinnConfig;
-import no.nav.testnav.altinn3tilgangservice.consumer.altinn.dto.AltinnResponseDTO;
+import no.nav.testnav.altinn3tilgangservice.consumer.altinn.dto.AltinnAccessListResponseDTO;
 import no.nav.testnav.altinn3tilgangservice.consumer.altinn.dto.OrganisasjonCreateDTO;
 import no.nav.testnav.libs.reactivecore.utils.WebClientFilter;
 import org.springframework.http.HttpHeaders;
@@ -16,7 +16,7 @@
 
 @Slf4j
 @RequiredArgsConstructor
-public class CreateAccessListeMemberCommand implements Callable<Mono<AltinnResponseDTO>> {
+public class CreateAccessListeMemberCommand implements Callable<Mono<AltinnAccessListResponseDTO>> {
 
     private static final String ALTINN_URL = "/resourceregistry/api/v1/access-lists/{owner}/{identifier}/members";
 
@@ -27,7 +27,7 @@ public class CreateAccessListeMemberCommand implements Callable<Mono<AltinnRespo
 
 
     @Override
-    public Mono<AltinnResponseDTO> call() {
+    public Mono<AltinnAccessListResponseDTO> call() {
 
         return webClient
                 .post()
@@ -37,14 +37,14 @@ public Mono<AltinnResponseDTO> call() {
                 .header(HttpHeaders.AUTHORIZATION, "Bearer " + token)
                 .header(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE)
                 .retrieve()
-                .bodyToMono(AltinnResponseDTO.class)
+                .bodyToMono(AltinnAccessListResponseDTO.class)
                 .doOnError(WebClientFilter::logErrorMessage)
                 .doOnSuccess(value -> log.info("Altinn organisasjontilgang opprettet for {}",
                         organisasjon.getData().stream()
                                 .map(data -> data.split(":"))
                                 .map(data -> data[data.length-1])
                                 .collect(Collectors.joining())))
-                .onErrorResume(throwable -> Mono.just(AltinnResponseDTO.builder()
+                .onErrorResume(throwable -> Mono.just(AltinnAccessListResponseDTO.builder()
                                 .status(WebClientFilter.getStatus(throwable))
                                 .feilmelding(WebClientFilter.getMessage(throwable))
                         .build()));

apps/altinn3-tilgang-service/src/main/java/no/nav/testnav/altinn3tilgangservice/consumer/altinn/command/DeleteAccessListMemberCommand.java

@@ -3,7 +3,7 @@
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import no.nav.testnav.altinn3tilgangservice.config.AltinnConfig;
-import no.nav.testnav.altinn3tilgangservice.consumer.altinn.dto.AltinnResponseDTO;
+import no.nav.testnav.altinn3tilgangservice.consumer.altinn.dto.AltinnAccessListResponseDTO;
 import no.nav.testnav.altinn3tilgangservice.consumer.altinn.dto.OrganisasjonDeleteDTO;
 import no.nav.testnav.libs.reactivecore.utils.WebClientFilter;
 import org.springframework.http.HttpHeaders;
@@ -19,7 +19,7 @@
 
 @Slf4j
 @RequiredArgsConstructor
-public class DeleteAccessListMemberCommand implements Callable<Mono<AltinnResponseDTO>> {
+public class DeleteAccessListMemberCommand implements Callable<Mono<AltinnAccessListResponseDTO>> {
 
     private static final String ALTINN_URL = "/resourceregistry/api/v1/access-lists/{owner}/{identifier}/members";
 
@@ -30,7 +30,7 @@ public class DeleteAccessListMemberCommand implements Callable<Mono<AltinnRespon
 
 
     @Override
-    public Mono<AltinnResponseDTO> call() {
+    public Mono<AltinnAccessListResponseDTO> call() {
 
         return webClient
                 .method(HttpMethod.DELETE)
@@ -41,7 +41,7 @@ public Mono<AltinnResponseDTO> call() {
                 .header(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE)
                 .bodyValue(identifiers)
                 .retrieve()
-                .bodyToMono(AltinnResponseDTO.class)
+                .bodyToMono(AltinnAccessListResponseDTO.class)
                 .doOnSuccess(value -> log.info("Altinn organisasjontilgang slettet for {}",
                         identifiers.getData().stream()
                                 .filter(data -> data.contains(ORGANISASJON_ID))

apps/altinn3-tilgang-service/src/main/java/no/nav/testnav/altinn3tilgangservice/consumer/altinn/command/GetAccessListMembersCommand.java

@@ -3,7 +3,7 @@
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import no.nav.testnav.altinn3tilgangservice.config.AltinnConfig;
-import no.nav.testnav.altinn3tilgangservice.consumer.altinn.dto.AltinnResponseDTO;
+import no.nav.testnav.altinn3tilgangservice.consumer.altinn.dto.AltinnAccessListResponseDTO;
 import no.nav.testnav.libs.reactivecore.utils.WebClientFilter;
 import org.springframework.http.HttpHeaders;
 import org.springframework.http.MediaType;
@@ -14,7 +14,7 @@
 
 @Slf4j
 @RequiredArgsConstructor
-public class GetAccessListMembersCommand implements Callable<Mono<AltinnResponseDTO>> {
+public class GetAccessListMembersCommand implements Callable<Mono<AltinnAccessListResponseDTO>> {
 
     private static final String ALTINN_URL = "/resourceregistry/api/v1/access-lists/{owner}/{identifier}/members";
 
@@ -23,7 +23,7 @@ public class GetAccessListMembersCommand implements Callable<Mono<AltinnResponse
     private final AltinnConfig altinnConfig;
 
     @Override
-    public Mono<AltinnResponseDTO> call() {
+    public Mono<AltinnAccessListResponseDTO> call() {
 
         return webClient
                 .get()
@@ -32,7 +32,7 @@ public Mono<AltinnResponseDTO> call() {
                 .header(HttpHeaders.AUTHORIZATION, "Bearer " + token)
                 .header(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE)
                 .retrieve()
-                .bodyToMono(AltinnResponseDTO.class)
+                .bodyToMono(AltinnAccessListResponseDTO.class)
                 .doOnError(WebClientFilter::logErrorMessage)
                 .doOnSuccess(value -> log.info("Altinn-tilgang hentet"));
     }

apps/altinn3-tilgang-service/src/main/java/no/nav/testnav/altinn3tilgangservice/consumer/altinn/command/GetAuthorizedPartiesCommand.java

@@ -0,0 +1,40 @@
+package no.nav.testnav.altinn3tilgangservice.consumer.altinn.command;
+
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+import no.nav.testnav.altinn3tilgangservice.consumer.altinn.dto.AltinnAuthorizedPartiesRequestDTO;
+import no.nav.testnav.altinn3tilgangservice.consumer.altinn.dto.AuthorizedPartyDTO;
+import no.nav.testnav.libs.reactivecore.utils.WebClientFilter;
+import org.springframework.http.HttpHeaders;
+import org.springframework.http.MediaType;
+import org.springframework.web.reactive.function.client.WebClient;
+import reactor.core.publisher.Mono;
+
+import java.util.concurrent.Callable;
+
+@Slf4j
+@RequiredArgsConstructor
+public class GetAuthorizedPartiesCommand implements Callable<Mono<AuthorizedPartyDTO[]>> {
+
+    private static final String ALTINN_URL = "/accessmanagement/api/v1/resourceowner/authorizedparties";
+
+    private final WebClient webClient;
+    private final AltinnAuthorizedPartiesRequestDTO request;
+    private final String token;
+
+    @Override
+    public Mono<AuthorizedPartyDTO[]> call() {
+
+        log.info("Spørring på bruker {}", request);
+        return webClient
+                .post()
+                .uri(builder -> builder.path(ALTINN_URL)
+                        .build())
+                .header(HttpHeaders.AUTHORIZATION, "Bearer " + token)
+                .header(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE)
+                .bodyValue(request)
+                .retrieve()
+                .bodyToMono(AuthorizedPartyDTO[].class)
+                .doOnError(WebClientFilter::logErrorMessage);
+    }
+}

apps/altinn3-tilgang-service/src/main/java/no/nav/testnav/altinn3tilgangservice/consumer/altinn/dto/AltinnResponseDTO.java → apps/altinn3-tilgang-service/src/main/java/no/nav/testnav/altinn3tilgangservice/consumer/altinn/dto/AltinnAccessListResponseDTO.java

@@ -17,7 +17,7 @@
 @Builder
 @NoArgsConstructor
 @AllArgsConstructor
-public class AltinnResponseDTO {
+public class AltinnAccessListResponseDTO {
 
     private List<AccessListMembershipDTO> data;
     private String feilmelding;

apps/altinn3-tilgang-service/src/main/java/no/nav/testnav/altinn3tilgangservice/consumer/altinn/dto/AltinnAuthorizedPartiesRequestDTO.java

@@ -0,0 +1,18 @@
+package no.nav.testnav.altinn3tilgangservice.consumer.altinn.dto;
+
+import lombok.Data;
+
+@Data
+public class AltinnAuthorizedPartiesRequestDTO {
+
+    private static final String IDENT_IDENTIFIKATOR = "urn:altinn:person:identifier-no";
+
+    private String type;
+    private String value;
+
+    public AltinnAuthorizedPartiesRequestDTO(String ident) {
+
+        this.type = IDENT_IDENTIFIKATOR;
+        this.value = ident;
+    }
+}