Lagt til sikkerhet #deploy-inst-proxy

.github/workflows/proxy.inst-proxy.yml

@@ -14,7 +14,7 @@ jobs:
     with:
       cluster: "dev-fss"
       working-directory: "proxies/inst-proxy"
-      deploy-tag: "#deploy-proxy"
+      deploy-tag: "#deploy-inst-proxy"
     permissions:
       contents: read
       id-token: write

proxies/inst-proxy/build.gradle

@@ -53,17 +53,20 @@ dependencies {
     implementation 'no.nav.testnav.libs:reactive-core'
     implementation 'no.nav.testnav.libs:reactive-proxy'
     implementation 'no.nav.testnav.libs:data-transfer-objects'
+    implementation 'no.nav.testnav.libs:security-core'
+    implementation 'no.nav.testnav.libs:reactive-security'
 
     implementation 'org.springframework.boot:spring-boot-starter-oauth2-resource-server'
     implementation 'org.springframework.boot:spring-boot-starter-webflux'
     implementation 'org.springframework.cloud:spring-cloud-starter-vault-config'
     implementation 'org.springframework.cloud:spring-cloud-starter-gateway'
-
 
     implementation 'net.logstash.logback:logstash-logback-encoder:7.4'
     implementation 'org.hibernate.validator:hibernate-validator'
 
-    testImplementation 'junit:junit:4.13.2' //TODO upgrade to JUnit5
+    annotationProcessor 'org.projectlombok:lombok'
+    implementation 'org.projectlombok:lombok'
+
     testImplementation 'org.springframework.boot:spring-boot-starter-test'
     testImplementation 'org.springframework.cloud:spring-cloud-contract-wiremock'
 }

proxies/inst-proxy/config.yml

@@ -51,7 +51,7 @@ spec:
           cluster: dev-gcp
     outbound:
       rules:
-        - application: inst2
+        - application: opphold-testdata
           namespace: team-rocket
   liveness:
     path: /internal/isAlive

proxies/inst-proxy/settings.gradle

@@ -8,6 +8,8 @@ rootProject.name = 'inst-proxy'
 includeBuild '../../libs/reactive-core'
 includeBuild '../../libs/reactive-proxy'
 includeBuild '../../libs/data-transfer-objects'
+includeBuild '../../libs/security-core'
+includeBuild '../../libs/reactive-security'
 
 gradleEnterprise {
     buildScan {

proxies/inst-proxy/src/main/java/no/nav/testnav/proxies/instproxy/Consumers.java

@@ -0,0 +1,20 @@
+package no.nav.testnav.proxies.instproxy;
+
+import lombok.Getter;
+import lombok.NoArgsConstructor;
+import lombok.Setter;
+import no.nav.testnav.libs.securitycore.domain.ServerProperties;
+import org.springframework.boot.context.properties.ConfigurationProperties;
+import org.springframework.context.annotation.Configuration;
+
+import static lombok.AccessLevel.PACKAGE;
+
+@Configuration
+@ConfigurationProperties(prefix = "consumers")
+@NoArgsConstructor(access = PACKAGE)
+@Getter
+@Setter(PACKAGE)
+public class Consumers {
+
+    private ServerProperties inst;
+}

proxies/inst-proxy/src/main/java/no/nav/testnav/proxies/instproxy/InstProxyApplicationStarter.java

@@ -3,6 +3,10 @@
 import no.nav.testnav.libs.reactivecore.config.CoreConfig;
 import no.nav.testnav.libs.reactiveproxy.config.DevConfig;
 import no.nav.testnav.libs.reactiveproxy.config.SecurityConfig;
+import no.nav.testnav.libs.reactiveproxy.filter.AddAuthenticationRequestGatewayFilterFactory;
+import no.nav.testnav.libs.reactivesecurity.config.SecureOAuth2ServerToServerConfiguration;
+import no.nav.testnav.libs.reactivesecurity.exchange.TokenExchange;
+import no.nav.testnav.libs.securitycore.domain.AccessToken;
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
 import org.springframework.cloud.gateway.route.RouteLocator;
@@ -13,7 +17,8 @@
 @Import({
         CoreConfig.class,
         DevConfig.class,
-        SecurityConfig.class
+        SecurityConfig.class,
+        SecureOAuth2ServerToServerConfiguration.class
 })
 @SpringBootApplication
 public class InstProxyApplicationStarter {
@@ -23,11 +28,24 @@ public static void main(String[] args) {
     }
 
     @Bean
-    public RouteLocator customRouteLocator(RouteLocatorBuilder builder) {
-        return builder.routes()
+    public RouteLocator customRouteLocator(
+            RouteLocatorBuilder builder,
+            TokenExchange tokenExchange,
+            Consumers consumers
+    ) {
+        var addAuthenticationHeaderDevFilter = AddAuthenticationRequestGatewayFilterFactory
+                .bearerAuthenticationHeaderFilter(
+                        () -> tokenExchange
+                                .exchange(consumers.getInst())
+                                .map(AccessToken::getTokenValue));
+
+        return builder
+                .routes()
                 .route(spec -> spec
                         .path("/**")
-                        .uri("https://institusjon-opphold-testdata.dev.intern.nav.no/"))
+                        .filters(filterSpec -> filterSpec.filter(addAuthenticationHeaderDevFilter))
+                        .uri(consumers.getInst().getUrl())
+                )
                 .build();
     }
 }

proxies/inst-proxy/src/main/resources/application.yml

@@ -21,3 +21,10 @@ spring:
     gateway:
       httpclient:
         response-timeout: 180s
+
+consumers:
+  inst:
+    name: opphold-testdata
+    namespace: team-rocket
+    url: http://opphold-testdata.team-rocket.svc.nais.local
+    cluster: dev-fss

proxies/inst-proxy/src/test/java/no/nav/testnav/proxies/instproxy/ApplicationContextTest.java

@@ -0,0 +1,20 @@
+package no.nav.testnav.proxies.instproxy;
+
+import org.junit.jupiter.api.Test;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.boot.test.mock.mockito.MockBean;
+import org.springframework.security.oauth2.jwt.ReactiveJwtDecoder;
+import org.springframework.test.context.ActiveProfiles;
+
+@SpringBootTest
+@ActiveProfiles("test")
+class ApplicationContextTest {
+
+    @MockBean
+    public ReactiveJwtDecoder reactiveJwtDecoder;
+
+    @Test
+    @SuppressWarnings("java:S2699")
+    void load_app_context() {
+    }
+}

proxies/inst-proxy/src/test/resources/application-test.properties

@@ -0,0 +1,4 @@
+spring.cloud.vault.token=dummy
+azure.app.client.id=dummy
+azure.app.client.secret=dummy
+proxy.url=http://localhost