cleanup/AAD_ISSUER_URI-replacement (#3734)

Startet fjerning av AAD_ISSUER_URI i adresse-service, som nå bruker en felles NaisEnvironmentApplicationContextInitializer for å emulere NAIS ved lokal kjøring og i tester.
navikt · Jan 29, 2025 · 77774e6 · 77774e6
1 parent a5373c9
commit 77774e6
Show file tree

Hide file tree

Showing 22 changed files with 96 additions and 69 deletions.
diff --git a/...ce/src/main/java/no/nav/testnav/apps/adresseservice/AdresseServiceApplicationStarter.java b/...ce/src/main/java/no/nav/testnav/apps/adresseservice/AdresseServiceApplicationStarter.java
@@ -1,13 +1,16 @@
 package no.nav.testnav.apps.adresseservice;
 
-import org.springframework.boot.SpringApplication;
+import no.nav.testnav.libs.servletcore.config.NaisEnvironmentApplicationContextInitializer;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.boot.builder.SpringApplicationBuilder;
 
 @SpringBootApplication
 public class AdresseServiceApplicationStarter {
 
     public static void main(String[] args) {
-
-        SpringApplication.run(AdresseServiceApplicationStarter.class, args);
+        new SpringApplicationBuilder(AdresseServiceApplicationStarter.class)
+                .initializers(new NaisEnvironmentApplicationContextInitializer())
+                .run(args);
     }
+
 }
diff --git a/apps/adresse-service/src/main/resources/application-local.yml b/apps/adresse-service/src/main/resources/application-local.yml
@@ -1,5 +1,3 @@
-AZURE_APP_CLIENT_ID: ${sm\://azure-app-client-id}
-AZURE_APP_CLIENT_SECRET: ${sm\://azure-app-client-secret}
 TOKEN_X_CLIENT_ID: dev-gcp:dolly:testnav-adresse-service
 
 spring:

diff --git a/apps/adresse-service/src/main/resources/application.yml b/apps/adresse-service/src/main/resources/application.yml
@@ -1,5 +1,3 @@
-AAD_ISSUER_URI: https://login.microsoftonline.com/62366534-1ec3-4962-8869-9b5535279d0b
-
 spring:
   application:
     name: adresse-service
@@ -9,12 +7,10 @@ spring:
     oauth2:
       resourceserver:
         aad:
-          issuer-uri: ${AAD_ISSUER_URI}/v2.0
-          jwk-set-uri: ${AAD_ISSUER_URI}/discovery/v2.0/keys
+          issuer-uri: ${AZURE_OPENID_CONFIG_ISSUER}
           accepted-audience:  ${AZURE_APP_CLIENT_ID}, api:// ${AZURE_APP_CLIENT_ID}
         tokenx:
-          issuer-uri: ${TOKEN_X_ISSUER} 
-          jwk-set-uri: ${TOKEN_X_JWKS_URI}
+          issuer-uri: ${TOKEN_X_ISSUER}
           accepted-audience: ${TOKEN_X_CLIENT_ID}
 
 springdoc:
@@ -31,7 +27,8 @@ consumers:
 
 management:
   endpoints:
-    enabled-by-default: true
+    access:
+      default: read_only
     web:
       base-path: /internal
       exposure:
@@ -40,7 +37,7 @@ management:
         prometheus: metrics
   endpoint:
     prometheus:
-      enabled: true
+      access: read_only
   prometheus:
     metrics:
       export:

diff --git a/...esse-service/src/test/java/no/nav/testnav/apps/adresseservice/ApplicationContextTest.java b/...esse-service/src/test/java/no/nav/testnav/apps/adresseservice/ApplicationContextTest.java
@@ -1,13 +1,16 @@
 package no.nav.testnav.apps.adresseservice;
 
+import no.nav.testnav.libs.servletcore.config.NaisEnvironmentApplicationContextInitializer;
 import org.junit.jupiter.api.Test;
 import org.springframework.boot.test.context.SpringBootTest;
 import org.springframework.test.context.ActiveProfiles;
+import org.springframework.test.context.ContextConfiguration;
 
 import static org.assertj.core.api.AssertionsForClassTypes.assertThat;
 
 @SpringBootTest
 @ActiveProfiles("test")
+@ContextConfiguration(initializers = NaisEnvironmentApplicationContextInitializer.class)
 class ApplicationContextTest {
 
     @Test

diff --git a/apps/adresse-service/src/test/resources/application-test.yml b/apps/adresse-service/src/test/resources/application-test.yml
@@ -1,7 +0,0 @@
-TOKEN_X_ISSUER: dummy
-
-spring:
-  cloud:
-    gcp:
-      secretmanager:
-        enabled: false

diff --git a/apps/dolly-backend/src/main/resources/application-local.yml b/apps/dolly-backend/src/main/resources/application-local.yml
@@ -27,12 +27,6 @@ management:
     elasticsearch:
       enabled: false
 
-azure:
-  app:
-    client:
-      id: ${sm\://azure-app-client-id}
-      secret: ${sm\://azure-app-client-secret}
-
 open:
   search:
     uri: http://localhost:9200

diff --git a/...rofil-api/src/main/java/no/nav/registre/testnorge/profil/service/AzureAdTokenService.java b/...rofil-api/src/main/java/no/nav/registre/testnorge/profil/service/AzureAdTokenService.java
@@ -24,17 +24,16 @@ public class AzureAdTokenService {
     private final AzureClientCredential clientCredential;
     private final GetAuthenticatedToken getAuthenticatedToken;
 
-    public AzureAdTokenService(
+    AzureAdTokenService(
             @Value("${http.proxy:#{null}}") String proxyHost,
-            @Value("${AAD_ISSUER_URI}") String issuerUrl,
             AzureClientCredential clientCredential,
             GetAuthenticatedToken getAuthenticatedToken
     ) {
         log.info("Init custom AzureAd token exchange.");
         this.getAuthenticatedToken = getAuthenticatedToken;
         WebClient.Builder builder = WebClient
                 .builder()
-                .baseUrl(issuerUrl + "/oauth2/v2.0/token")
+                .baseUrl(clientCredential.getTokenEndpoint())
                 .defaultHeader(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_FORM_URLENCODED_VALUE);
 
         if (proxyHost != null) {

diff --git a/apps/testnorge-statisk-data-forvalter/src/test/resources/application-test.yml b/apps/testnorge-statisk-data-forvalter/src/test/resources/application-test.yml
@@ -65,7 +65,7 @@ aareg:
   pageSize: 2
 
 controller.staticdata.cache.hours: 24
-azure.app.client.id: dummy
+AZURE_APP_CLIENT_ID: dummy
 
 KAFKA_SCHEMA_REGISTRY: http://localhost:9009
 kafka.groupid: organisasjon-forvalter-v1

diff --git a/...ain/java/no/nav/testnav/libs/reactivesecurity/exchange/TokenServiceAutoConfiguration.java b/...ain/java/no/nav/testnav/libs/reactivesecurity/exchange/TokenServiceAutoConfiguration.java
@@ -28,19 +28,17 @@ AzureTokenService azureAdTokenServiceTest(
             AzureClientCredential clientCredential,
             GetAuthenticatedToken getAuthenticatedToken
     ) {
-        return new AzureTokenService(null, null, clientCredential, getAuthenticatedToken);
+        return new AzureTokenService(null, clientCredential, getAuthenticatedToken);
     }
 
     @Bean
     @ConditionalOnDollyApplicationConfiguredForAzure
     @ConditionalOnMissingBean(AzureTokenService.class)
     AzureTokenService azureAdTokenService(
-            @Value("${AAD_ISSUER_URI:#{null}}") String issuerUrl,
             AzureClientCredential clientCredential,
             GetAuthenticatedToken getAuthenticatedToken
     ) {
-        Assert.notNull(issuerUrl, "AAD_ISSUER_URI must be set");
-        return new AzureTokenService(httpProxy, issuerUrl, clientCredential, getAuthenticatedToken);
+        return new AzureTokenService(httpProxy, clientCredential, getAuthenticatedToken);
     }
 
     @Primary

diff --git a/...rc/main/java/no/nav/testnav/libs/reactivesecurity/exchange/azuread/AzureTokenService.java b/...rc/main/java/no/nav/testnav/libs/reactivesecurity/exchange/azuread/AzureTokenService.java
@@ -33,15 +33,14 @@ public class AzureTokenService implements TokenService {
 
     public AzureTokenService(
             String proxyHost,
-            String issuerUrl,
             AzureClientCredential azureClientCredential,
             GetAuthenticatedToken getAuthenticatedToken
     ) {
         log.info("Init AzureAd token exchange.");
 
         WebClient.Builder builder = WebClient
                 .builder()
-                .baseUrl(issuerUrl + "/oauth2/v2.0/token")
+                .baseUrl(azureClientCredential.getTokenEndpoint())
                 .defaultHeader(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_FORM_URLENCODED_VALUE);
 
         if (proxyHost != null) {

diff --git a/.../main/java/no/nav/testnav/libs/reactivesessionsecurity/exchange/AzureAdTokenExchange.java b/.../main/java/no/nav/testnav/libs/reactivesessionsecurity/exchange/AzureAdTokenExchange.java
@@ -7,7 +7,6 @@
 import no.nav.testnav.libs.securitycore.domain.ServerProperties;
 import no.nav.testnav.libs.securitycore.domain.azuread.AzureClientCredential;
 import no.nav.testnav.libs.securitycore.domain.azuread.ClientCredential;
-import org.springframework.beans.factory.annotation.Value;
 import org.springframework.http.HttpHeaders;
 import org.springframework.http.MediaType;
 import org.springframework.stereotype.Service;
@@ -22,14 +21,13 @@ public class AzureAdTokenExchange implements ExchangeToken {
     private final TokenResolver tokenResolver;
     private final ClientCredential clientCredential;
 
-    public AzureAdTokenExchange(
-            @Value("${AAD_ISSUER_URI}") String issuerUrl,
+    AzureAdTokenExchange(
             TokenResolver tokenResolver,
             AzureClientCredential clientCredential) {
 
         this.webClient = WebClient
                 .builder()
-                .baseUrl(issuerUrl + "/oauth2/v2.0/token")
+                .baseUrl(clientCredential.getTokenEndpoint())
                 .defaultHeader(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_FORM_URLENCODED_VALUE)
                 .build();
         this.tokenResolver = tokenResolver;

diff --git a/...va/no/nav/testnav/libs/securitycore/domain/azuread/ClientCredentialAutoConfiguration.java b/...va/no/nav/testnav/libs/securitycore/domain/azuread/ClientCredentialAutoConfiguration.java
@@ -6,7 +6,6 @@
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Primary;
 import org.springframework.context.annotation.Profile;
-import org.springframework.util.Assert;
 
 @AutoConfiguration
 public class ClientCredentialAutoConfiguration {
@@ -26,11 +25,10 @@ AzureClientCredential azureClientCredentialTest() {
     @ConditionalOnDollyApplicationConfiguredForAzure
     @ConditionalOnMissingBean(AzureClientCredential.class)
     AzureClientCredential azureClientCredential(
-            @Value("${AAD_ISSUER_URI}") String azureTokenEndpoint, // TODO: Not currently used, AAD_ISSUER_URI is hardcoded elsewhere; should be refactored to use AZURE_OPENID_CONFIG_TOKEN_ENDPOINT instead.
+            @Value("${AZURE_OPENID_CONFIG_TOKEN_ENDPOINT}") String azureTokenEndpoint,
             @Value("${AZURE_APP_CLIENT_ID}") String azureClientId,
             @Value("${AZURE_APP_CLIENT_SECRET}") String azureClientSecret
     ) {
-
         return new AzureClientCredential(azureTokenEndpoint, azureClientId, azureClientSecret);
     }
 

diff --git a/...nav/libs/securitycore/domain/azuread/ConditionalOnDollyApplicationConfiguredForAzure.java b/...nav/libs/securitycore/domain/azuread/ConditionalOnDollyApplicationConfiguredForAzure.java
@@ -19,7 +19,7 @@
  * Conditional that matches if the application is configured for Nav.
  * Requires the following properties set:
  * <ul>
- *     <li>AAD_ISSUER_URI</li>
+ *     <li>AZURE_OPENID_CONFIG_TOKEN_ENDPOINT</li>
  *     <li>AZURE_APP_CLIENT_ID</li>
  *     <li>AZURE_APP_CLIENT_SECRET</li>
  * </ul>
@@ -33,7 +33,7 @@
 class OnDollyApplicationConfiguredForAzureCondition extends SpringBootCondition {
 
     private static final List<String> REQUIRED = Arrays.asList(
-            "AAD_ISSUER_URI",
+            "AZURE_OPENID_CONFIG_TOKEN_ENDPOINT",
             "AZURE_APP_CLIENT_ID",
             "AZURE_APP_CLIENT_SECRET"
     );

diff --git a/.../no/nav/testnav/libs/servletcore/config/NaisEnvironmentApplicationContextInitializer.java b/.../no/nav/testnav/libs/servletcore/config/NaisEnvironmentApplicationContextInitializer.java
@@ -0,0 +1,60 @@
+package no.nav.testnav.libs.servletcore.config;
+
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.context.ApplicationContextInitializer;
+import org.springframework.context.ConfigurableApplicationContext;
+import org.springframework.lang.NonNull;
+
+import java.util.Map;
+import java.util.stream.Stream;
+
+@Slf4j
+public class NaisEnvironmentApplicationContextInitializer implements ApplicationContextInitializer<ConfigurableApplicationContext> {
+
+    private static final String DUMMY = "dummy";
+
+    @Override
+    public void initialize(@NonNull ConfigurableApplicationContext context) {
+
+        var environment = context.getEnvironment();
+        Stream
+                .of(environment.getActiveProfiles())
+                .forEach(profile -> {
+                    switch (profile) {
+                        case "local" -> configureForLocalProfile(environment.getSystemProperties());
+                        case "test" -> configureForTestProfile(environment.getSystemProperties());
+                        default -> { /* Do nothing. */ }
+                    }
+                });
+
+    }
+
+    private static void configureForLocalProfile(Map<String, Object> properties) {
+
+        log.info("Configuring environment for local profile using Secret Manager");
+
+        // Emulating NAIS provided environment variables.
+        properties.putIfAbsent("AZURE_APP_CLIENT_ID", "${sm\\://azure-app-client-id}");
+        properties.putIfAbsent("AZURE_APP_CLIENT_SECRET", "${sm\\://azure-app-client-secret}");
+        properties.putIfAbsent("AZURE_OPENID_CONFIG_ISSUER", "${sm\\://azure-openid-config-issuer}");
+        properties.putIfAbsent("AZURE_OPENID_CONFIG_TOKEN_ENDPOINT", "${sm\\://azure-openid-config-token-endpoint}");
+        properties.putIfAbsent("TOKEN_X_ISSUER", "${sm\\://token-x-issuer}");
+        properties.putIfAbsent("TOKEN_X_JWKS_URI", "${sm\\://token-x-jwks-uri}");
+
+    }
+
+    private static void configureForTestProfile(Map<String, Object> properties) {
+
+        log.info("Configuring environment for test profile using dummy values");
+
+        // Disabling Secret Manager (not available when running builds on GitHub).
+        properties.putIfAbsent("spring.cloud.gcp.secretmanager.enabled", "false");
+
+        // Setting dummy placeholders.
+        properties.putIfAbsent("AZURE_OPENID_CONFIG_ISSUER", DUMMY);
+        properties.putIfAbsent("AZURE_OPENID_CONFIG_TOKEN_ENDPOINT", DUMMY);
+        properties.putIfAbsent("TOKEN_X_ISSUER", DUMMY);
+
+    }
+
+}
diff --git a/...let-core/src/main/java/no/nav/testnav/libs/servletcore/logging/TestnavLogbackEncoder.java b/...let-core/src/main/java/no/nav/testnav/libs/servletcore/logging/TestnavLogbackEncoder.java
@@ -28,6 +28,7 @@
  *
  * @see StringUtils#truncate(CharSequence, int)
  */
+@Setter
 @Slf4j
 @SuppressWarnings("java:S110")
 public class TestnavLogbackEncoder extends LogstashEncoder {
@@ -36,13 +37,8 @@ public class TestnavLogbackEncoder extends LogstashEncoder {
     private static final Pattern IDENT = Pattern.compile("(?<!\\d)\\d{11}(?!\\d)");
     private static final Pattern BEARER = Pattern.compile("Bearer [a-zA-Z0-9\\-_.]+");
 
-    @Setter
     private int maxStackTraceLength = 480;
-
-    @Setter
     private boolean addCauses = false;
-
-    @Setter
     private String stackTraceIncludePrefix = null;
 
     @SneakyThrows

diff --git a/...ain/java/no/nav/testnav/libs/standalone/servletsecurity/exchange/AzureAdTokenService.java b/...ain/java/no/nav/testnav/libs/standalone/servletsecurity/exchange/AzureAdTokenService.java
@@ -25,15 +25,14 @@ public class AzureAdTokenService implements ExchangeToken {
     private final WebClient webClient;
     private final ClientCredential clientCredential;
 
-    public AzureAdTokenService(
+    AzureAdTokenService(
             @Value("${http.proxy:#{null}}") String proxyHost,
-            @Value("${AAD_ISSUER_URI}") String issuerUrl,
             AzureClientCredential clientCredential
     ) {
         log.info("Init AzureAd token exchange.");
         WebClient.Builder builder = WebClient
                 .builder()
-                .baseUrl(issuerUrl + "/oauth2/v2.0/token")
+                .baseUrl(clientCredential.getTokenEndpoint())
                 .defaultHeader(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_FORM_URLENCODED_VALUE);
 
         if (proxyHost != null) {

diff --git a/...urity/src/main/java/no/nav/testnav/libs/servletsecurity/exchange/AzureAdTokenService.java b/...urity/src/main/java/no/nav/testnav/libs/servletsecurity/exchange/AzureAdTokenService.java
@@ -31,17 +31,16 @@ public class AzureAdTokenService implements TokenService {
     private final ClientCredential clientCredential;
     private final GetAuthenticatedToken getAuthenticatedToken;
 
-    public AzureAdTokenService(
+    AzureAdTokenService(
             @Value("${http.proxy:#{null}}") String proxyHost,
-            @Value("${AAD_ISSUER_URI}") String issuerUrl,
             AzureClientCredential clientCredential,
             GetAuthenticatedToken getAuthenticatedToken
     ) {
         log.info("Init AzureAd token exchange.");
         this.getAuthenticatedToken = getAuthenticatedToken;
         WebClient.Builder builder = WebClient
                 .builder()
-                .baseUrl(issuerUrl + "/oauth2/v2.0/token")
+                .baseUrl(clientCredential.getTokenEndpoint())
                 .defaultHeader(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_FORM_URLENCODED_VALUE);
 
         if (proxyHost != null) {

diff --git a/proxies/fullmakt-proxy/src/main/resources/application.yml b/proxies/fullmakt-proxy/src/main/resources/application.yml
@@ -10,7 +10,7 @@ spring:
         aad:
           issuer-uri: ${AAD_ISSUER_URI}/v2.0
           jwk-set-uri: ${AAD_ISSUER_URI}/discovery/v2.0/keys
-          accepted-audience: ${azure.app.client.id}, api://${azure.app.client.id}
+          accepted-audience: ${AZURE_APP_CLIENT_ID}, api://${AZURE_APP_CLIENT_ID}
         tokenx:
           issuer-uri: ${TOKEN_X_ISSUER}
           jwk-set-uri: ${TOKEN_X_JWKS_URI}

diff --git a/proxies/sykemelding-proxy/src/main/resources/application.yml b/proxies/sykemelding-proxy/src/main/resources/application.yml
@@ -10,7 +10,7 @@ spring:
         aad:
           issuer-uri: ${AAD_ISSUER_URI}/v2.0
           jwk-set-uri: ${AAD_ISSUER_URI}/discovery/v2.0/keys
-          accepted-audience: ${azure.app.client.id}, api://${azure.app.client.id}
+          accepted-audience: ${AZURE_APP_CLIENT_ID}, api://${AZURE_APP_CLIENT_ID}
         tokenx:
           issuer-uri: ${TOKEN_X_ISSUER}
           jwk-set-uri: ${TOKEN_X_JWKS_URI}

diff --git a/proxies/synthdata-meldekort-proxy/src/main/resources/application-local.yml b/proxies/synthdata-meldekort-proxy/src/main/resources/application-local.yml
@@ -1,5 +1,6 @@
 AZURE_APP_CLIENT_ID: ${sm\://azure-app-client-id}
 AZURE_APP_CLIENT_SECRET: ${sm\://azure-app-client-secret}
+AZURE_OPENID_CONFIG_ISSUER: ${sm\://azure-openid-config-issuer}
 
 spring:
   cloud:
@@ -9,11 +10,6 @@ spring:
   config:
     import: "sm://"
 
-azure:
-  openid:
-    config:
-      issuer: https://login.microsoftonline.com/62366534-1ec3-4962-8869-9b5535279d0b
-
 consumers:
   synt-meldekort:
     url: https://synthdata-arena-meldekort.intern.dev.nav.no