AuthFilter returnerer 401 ved manglende token. Fjerne ubrukte beans (#…

…1340)

felles/abac-kontekst/src/main/resources/META-INF/beans.xml

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <beans xmlns="https://jakarta.ee/xml/ns/jakartaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-       xsi:schemaLocation="https://jakarta.ee/xml/ns/jakartaee https://jakarta.ee/xml/ns/jakartaee/beans_3_0.xsd"
-       version="3.0"
+       xsi:schemaLocation="https://jakarta.ee/xml/ns/jakartaee https://jakarta.ee/xml/ns/jakartaee/beans_4_0.xsd"
+       version="4.0"
        bean-discovery-mode="annotated">
 </beans>

felles/abac/src/main/resources/META-INF/beans.xml

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <beans xmlns="https://jakarta.ee/xml/ns/jakartaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-       xsi:schemaLocation="https://jakarta.ee/xml/ns/jakartaee https://jakarta.ee/xml/ns/jakartaee/beans_3_0.xsd"
-       version="3.0"
+       xsi:schemaLocation="https://jakarta.ee/xml/ns/jakartaee https://jakarta.ee/xml/ns/jakartaee/beans_4_0.xsd"
+       version="4.0"
        bean-discovery-mode="annotated">
 </beans>

felles/abac/src/test/resources/META-INF/beans.xml

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <beans xmlns="https://jakarta.ee/xml/ns/jakartaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-       xsi:schemaLocation="https://jakarta.ee/xml/ns/jakartaee https://jakarta.ee/xml/ns/jakartaee/beans_3_0.xsd"
-       version="3.0"
+       xsi:schemaLocation="https://jakarta.ee/xml/ns/jakartaee https://jakarta.ee/xml/ns/jakartaee/beans_4_0.xsd"
+       version="4.0"
        bean-discovery-mode="annotated">
 </beans>

felles/auth-filter/src/main/java/no/nav/vedtak/sikkerhet/jaxrs/AuthenticationFilterDelegate.java

@@ -70,10 +70,10 @@ public static void validerSettKontekst(ResourceInfo resourceInfo, ContainerReque
             } else if (beskyttetRessurs == null) {
                 throw new WebApplicationException(metodenavn + " mangler annotering", Response.Status.INTERNAL_SERVER_ERROR);
             } else {
-                var tokenString = getTokenFromHeader(ctx)
-                    .or(() -> getCookie(ctx, cookiePath))
-                    .orElseThrow(() -> new TokenFeil("Mangler token"));
-                validerToken(tokenString);
+                var tokenString = getToken(ctx, cookiePath)
+                    .orElseThrow(() -> new ValideringsFeil("Mangler token"));
+                validerTokenSetKontekst(tokenString);
+                setUserAndConsumerId(KontekstHolder.getKontekst().getUid());
             }
         } catch (TekniskException | TokenFeil e) {
             throw new WebApplicationException(e, Response.Status.FORBIDDEN);
@@ -101,31 +101,33 @@ private static void setCallAndConsumerId(ContainerRequestContext request) {
             .ifPresent(MDCOperations::putConsumerId);
     }
 
+    private static void setUserAndConsumerId(String subject) {
+        Optional.ofNullable(subject).ifPresent(MDCOperations::putUserId);
+        if (MDCOperations.getConsumerId() == null && subject != null) {
+            MDCOperations.putConsumerId(subject);
+        }
+    }
+
+    private static Optional<TokenString> getToken(ContainerRequestContext request, String cookiePath) {
+        return getTokenFromHeader(request).or(() -> getCookieToken(request, cookiePath));
+    }
+
     private static Optional<TokenString> getTokenFromHeader(ContainerRequestContext request) {
         String headerValue = request.getHeaderString(AUTHORIZATION_HEADER);
         return headerValue != null && headerValue.startsWith(OpenIDToken.OIDC_DEFAULT_TOKEN_TYPE)
             ? Optional.of(new TokenString(headerValue.substring(OpenIDToken.OIDC_DEFAULT_TOKEN_TYPE.length())))
             : Optional.empty();
     }
 
-    private static Optional<TokenString> getCookie(ContainerRequestContext request, String cookiePath) {
-        if (cookiePath == null || request.getCookies() == null) {
-            return Optional.empty();
-        }
-        return request.getCookies().values().stream()
-            .filter(c -> c.getValue() != null)
-            .filter(c -> ID_TOKEN_COOKIE_NAME.equalsIgnoreCase(c.getName()))
-            .filter(c -> cookiePath.equalsIgnoreCase(c.getPath()))
-            .findFirst()
-            .or(() -> request.getCookies().values().stream()
-                .filter(c -> c.getValue() != null)
-                .filter(c -> ID_TOKEN_COOKIE_NAME.equalsIgnoreCase(c.getName()))
-                .findFirst())
+    private static Optional<TokenString> getCookieToken(ContainerRequestContext request, String cookiePath) {
+        var idTokenCookie = Optional.ofNullable(request.getCookies()).map(c -> c.get(ID_TOKEN_COOKIE_NAME));
+        return idTokenCookie.filter(c -> cookiePath != null && cookiePath.equalsIgnoreCase(c.getPath()))
+            .or(() -> idTokenCookie)
             .map(Cookie::getValue)
             .map(TokenString::new);
     }
 
-    public static void validerToken(TokenString tokenString) {
+    public static void validerTokenSetKontekst(TokenString tokenString) {
         // Sett opp OpenIDToken
         var claims = JwtUtil.getClaims(tokenString.token());
         var configuration = ConfigProvider.getOpenIDConfiguration(JwtUtil.getIssuer(claims))

felles/auth-filter/src/test/java/no/nav/vedtak/sikkerhet/jaxrs/AuthenticationFilterDelegateTest.java

@@ -92,7 +92,7 @@ public void teardown() {
         try {
             AuthenticationFilterDelegate.validerSettKontekst(ri, request);
         } catch (WebApplicationException e) {
-            assertThat(e.getResponse().getStatus()).isEqualTo(403);
+            assertThat(e.getResponse().getStatus()).isEqualTo(401);
         }
     }
 

felles/db/src/main/resources/META-INF/beans.xml

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <beans xmlns="https://jakarta.ee/xml/ns/jakartaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-       xsi:schemaLocation="https://jakarta.ee/xml/ns/jakartaee https://jakarta.ee/xml/ns/jakartaee/beans_3_0.xsd"
-       version="3.0"
+       xsi:schemaLocation="https://jakarta.ee/xml/ns/jakartaee https://jakarta.ee/xml/ns/jakartaee/beans_4_0.xsd"
+       version="4.0"
        bean-discovery-mode="annotated">
 </beans>

felles/konfig/src/main/resources/META-INF/beans.xml

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <beans xmlns="https://jakarta.ee/xml/ns/jakartaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-       xsi:schemaLocation="https://jakarta.ee/xml/ns/jakartaee https://jakarta.ee/xml/ns/jakartaee/beans_3_0.xsd"
-       version="3.0"
+       xsi:schemaLocation="https://jakarta.ee/xml/ns/jakartaee https://jakarta.ee/xml/ns/jakartaee/beans_4_0.xsd"
+       version="4.0"
        bean-discovery-mode="annotated">
 </beans>

felles/kontekst/pom.xml

@@ -15,10 +15,6 @@
     <packaging>jar</packaging>
 
     <dependencies>
-        <dependency>
-            <groupId>jakarta.enterprise</groupId>
-            <artifactId>jakarta.enterprise.cdi-api</artifactId>
-        </dependency>
         <dependency>
             <groupId>no.nav.foreldrepenger.felles</groupId>
             <artifactId>felles-konfig</artifactId>

felles/log/src/main/resources/META-INF/beans.xml

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <beans xmlns="https://jakarta.ee/xml/ns/jakartaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-       xsi:schemaLocation="https://jakarta.ee/xml/ns/jakartaee https://jakarta.ee/xml/ns/jakartaee/beans_3_0.xsd"
-       version="3.0"
+       xsi:schemaLocation="https://jakarta.ee/xml/ns/jakartaee https://jakarta.ee/xml/ns/jakartaee/beans_4_0.xsd"
+       version="4.0"
        bean-discovery-mode="annotated">
 </beans>

felles/oidc/src/main/java/no/nav/vedtak/sikkerhet/oidc/validator/OidcTokenValidator.java

@@ -149,8 +149,9 @@ private OidcTokenValidatorResult validateAzure(JwtClaims claims, String subject)
         if (isAzureClientCredentials(claims, subject)) {
             var brukSubject = Optional.ofNullable(JwtUtil.getStringClaim(claims, AzureProperty.AZP_NAME)).orElse(subject);
             // Ta med bakoverkompatibelt navn ettersom azp_name er ganske langt (tabeller / opprettet_av)
-            if (brukSubject.lastIndexOf(':') >= 0) {
-                var appSrvName = "srv" + brukSubject.substring(brukSubject.lastIndexOf(':') + 1);
+            var sisteKolon = brukSubject.lastIndexOf(':');
+            if (sisteKolon >= 0) {
+                var appSrvName = "srv" + brukSubject.substring(sisteKolon + 1);
                 if (appSrvName.length() > 20) {
                     appSrvName = appSrvName.substring(0, 19);
                 }

felles/sikkerhet/src/main/java/no/nav/vedtak/sikkerhet/jaspic/OidcAuthModule.java

@@ -107,9 +107,9 @@ public AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject
                     return FAILURE; // Vil gi 403
                 }
             } catch (Exception e) {
-                throw new TekniskException("F-396795", "Klarte ikke å sende respons", e);
+                throw new TekniskException("F-396795", "Klarte ikke å sende respons", e); // Gir 500
             }
-            return SEND_CONTINUE; // TODO - skal man returnere SEND_FAILURE? SEND_CONTINUE virker mest relevant for redirect to login
+            return SEND_CONTINUE; // SEND_CONTINUE sørger for svar med 401. (SEND_)FAILURE gir 403
         }
 
         if (SUCCESS.equals(authStatus)) {
@@ -151,7 +151,7 @@ public void setCallAndConsumerId(HttpServletRequest request) {
         }
     }
 
-    protected AuthStatus oidcLogin(Subject clientSubject, HttpServletRequest request) {
+    protected AuthStatus handleProtectedResource(Subject clientSubject, HttpServletRequest request) {
         // Get token
         var oidcToken = tokenLocator.getToken(request);
         if (oidcToken.isEmpty()) {
@@ -174,7 +174,7 @@ protected AuthStatus oidcLogin(Subject clientSubject, HttpServletRequest request
             return FAILURE;
         }
 
-        // Dummy - finnes kun pga Jakarta Authentication 3.0 kap 6 LoginModule Bridge Profile. Mulig kan fjernes helt - prøv i neste runde
+        // Dummy - finnes kun pga Jakarta Authentication 3.0 kap 6 LoginModule Bridge Profile.
         LoginContext loginContext = createLoginContext(clientSubject);
         try {
             loginContext.login();
@@ -184,8 +184,13 @@ protected AuthStatus oidcLogin(Subject clientSubject, HttpServletRequest request
 
         clientSubject.getPrincipals().add(new BrukerNavnType(sluttbruker.uid(), sluttbruker.identType()));
 
+        MDCOperations.putUserId(sluttbruker.uid());
+        if (MDCOperations.getConsumerId() == null) {
+            MDCOperations.putConsumerId(sluttbruker.uid());
+        }
+
         // Handle result
-        return handleValidatedToken(clientSubject, sluttbruker.uid());
+        return notifyContainerAboutLogin(clientSubject, sluttbruker.uid());
     }
 
     private LoginContext createLoginContext(Subject clientSubject) {
@@ -207,30 +212,14 @@ public void handle(Callback[] callbacks) throws UnsupportedCallbackException {
         }
     }
 
-    protected AuthStatus handleProtectedResource(Subject clientSubject, HttpServletRequest originalRequest) {
-        return oidcLogin(clientSubject, originalRequest);
-    }
-
-    protected AuthStatus handleValidatedToken(Subject clientSubject, String username) {
-        AuthStatus authStatus = notifyContainerAboutLogin(clientSubject, username);
-
-        MDCOperations.putUserId(username);
-        if (MDCOperations.getConsumerId() == null) {
-            MDCOperations.putConsumerId(username);
-        }
-        return authStatus;
-    }
-
     /**
      * Asks the container to register the given username.
      * <p>
-     * <p>
      * Note that after this call returned, the authenticated identity will not be
      * immediately active. This will only take place (should not errors occur) after
      * the {@link ServerAuthContext} or {@link ServerAuthModule} in which this call
      * takes place return control back to the runtime.
      * <p>
-     * <p>
      * As a convenience this method returns SUCCESS, so this method can be used in
      * one fluent return statement from an auth module.
      *

felles/testutilities/src/main/resources/META-INF/beans.xml

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <beans xmlns="https://jakarta.ee/xml/ns/jakartaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-       xsi:schemaLocation="https://jakarta.ee/xml/ns/jakartaee https://jakarta.ee/xml/ns/jakartaee/beans_3_0.xsd"
-       version="3.0"
+       xsi:schemaLocation="https://jakarta.ee/xml/ns/jakartaee https://jakarta.ee/xml/ns/jakartaee/beans_4_0.xsd"
+       version="4.0"
        bean-discovery-mode="annotated">
 </beans>

felles/testutilities/src/test/resources/META-INF/beans.xml

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <beans xmlns="https://jakarta.ee/xml/ns/jakartaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-       xsi:schemaLocation="https://jakarta.ee/xml/ns/jakartaee https://jakarta.ee/xml/ns/jakartaee/beans_3_0.xsd"
-       version="3.0"
+       xsi:schemaLocation="https://jakarta.ee/xml/ns/jakartaee https://jakarta.ee/xml/ns/jakartaee/beans_4_0.xsd"
+       version="4.0"
        bean-discovery-mode="annotated">
 </beans>