diff --git a/common/token-provider/src/main/kotlin/no/nav/mulighetsrommet/tokenprovider/AccessType.kt b/common/token-provider/src/main/kotlin/no/nav/mulighetsrommet/tokenprovider/AccessType.kt index de5b401a2b..52e27fd271 100644 --- a/common/token-provider/src/main/kotlin/no/nav/mulighetsrommet/tokenprovider/AccessType.kt +++ b/common/token-provider/src/main/kotlin/no/nav/mulighetsrommet/tokenprovider/AccessType.kt @@ -3,5 +3,4 @@ package no.nav.mulighetsrommet.tokenprovider sealed class AccessType { data class OBO(val token: String) : AccessType() data object M2M : AccessType() - data class TOKENX(val token: String) : AccessType() } diff --git a/common/token-provider/src/main/kotlin/no/nav/mulighetsrommet/tokenprovider/MaskinPortenTokenProvider.kt b/common/token-provider/src/main/kotlin/no/nav/mulighetsrommet/tokenprovider/MaskinPortenTokenProvider.kt deleted file mode 100644 index aef834573b..0000000000 --- a/common/token-provider/src/main/kotlin/no/nav/mulighetsrommet/tokenprovider/MaskinPortenTokenProvider.kt +++ /dev/null @@ -1,114 +0,0 @@ -package no.nav.mulighetsrommet.tokenprovider - -import com.nimbusds.jose.JOSEObjectType -import com.nimbusds.jose.JWSAlgorithm -import com.nimbusds.jose.JWSHeader -import com.nimbusds.jose.crypto.RSASSASigner -import com.nimbusds.jose.jwk.RSAKey -import com.nimbusds.jwt.JWTClaimsSet -import com.nimbusds.jwt.SignedJWT -import io.ktor.client.call.* -import io.ktor.client.engine.* -import io.ktor.client.engine.cio.* -import io.ktor.client.plugins.cache.* -import io.ktor.client.request.* -import io.ktor.client.request.forms.* -import io.ktor.client.statement.* -import io.ktor.http.* -import kotlinx.serialization.SerialName -import kotlinx.serialization.Serializable -import no.nav.mulighetsrommet.ktor.clients.httpJsonClient -import org.slf4j.LoggerFactory -import java.util.* - -class MaskinPortenTokenProvider( - private val clientId: String, - private val issuer: String, - private val tokenEndpointUrl: String, - private val privateJwk: String, - clientEngine: HttpClientEngine = CIO.create(), -) { - private val log = LoggerFactory.getLogger(javaClass) - - private val client = httpJsonClient(clientEngine).config { - install(HttpCache) - } - - data class Config( - val clientId: String, - val issuer: String, - val tokenEndpointUrl: String, - val privateJwk: String, - ) - - suspend fun createToken(scope: String, targetAudience: String): String { - val signedJwt = signedJWT(scope, targetAudience) - - val response = client.post(tokenEndpointUrl) { - contentType(ContentType.Application.FormUrlEncoded) - setBody( - FormDataContent( - Parameters.build { - append("grant_type", "urn:ietf:params:oauth:grant-type:jwt-bearer") - append("assertion", signedJwt.serialize()) - append("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer") - append("client_assertion", signedJwt.serialize()) - append("scope", scope) - }, - ), - ) - } - - if (response.status != HttpStatusCode.OK) { - log.error( - "Failed to fetch Maskinporten M2M token for scope={}. Status: {}, Error: {}", - scope, - response.status, - response.bodyAsText(), - ) - throw RuntimeException("Failed to fetch Maskinporten M2M token for scope=$scope") - } - - return response - .body() - .accessToken - } - - fun withScope(scope: String, targetAudience: String): M2MTokenProvider { - return M2MTokenProvider exchange@{ accessType -> - createToken(scope, targetAudience) - } - } - - private fun signedJWT(scope: String, targetAudience: String): SignedJWT { - val rsaKey = RSAKey.parse(privateJwk) - val signer = RSASSASigner(rsaKey.toPrivateKey()) - - val header = JWSHeader.Builder(JWSAlgorithm.RS256) - .keyID(rsaKey.keyID) - .type(JOSEObjectType.JWT) - .build() - - val now = Date() - val claims: JWTClaimsSet = JWTClaimsSet.Builder() - .subject(clientId) - .issuer(clientId) - .audience(issuer) - .issueTime(now) - .notBeforeTime(now) - .claim("scope", scope) - .claim("resource", targetAudience) - .expirationTime(Date(now.toInstant().plusSeconds(30).toEpochMilli())) - .jwtID(UUID.randomUUID().toString()) - .build() - - return SignedJWT(header, claims) - .apply { sign(signer) } - } -} - -@Serializable -data class AccessTokenResponse( - @SerialName("access_token") - val accessToken: String, -) diff --git a/common/token-provider/src/main/kotlin/no/nav/mulighetsrommet/tokenprovider/TokenProvider.kt b/common/token-provider/src/main/kotlin/no/nav/mulighetsrommet/tokenprovider/TokenProvider.kt index 7c22cb52fc..1645e96a08 100644 --- a/common/token-provider/src/main/kotlin/no/nav/mulighetsrommet/tokenprovider/TokenProvider.kt +++ b/common/token-provider/src/main/kotlin/no/nav/mulighetsrommet/tokenprovider/TokenProvider.kt @@ -10,10 +10,8 @@ import kotlinx.coroutines.Deferred import kotlinx.coroutines.Dispatchers import kotlinx.coroutines.async import no.nav.common.token_client.builder.AzureAdTokenClientBuilder -import no.nav.common.token_client.builder.TokenXTokenClientBuilder import no.nav.common.token_client.client.MachineToMachineTokenClient import no.nav.common.token_client.client.OnBehalfOfTokenClient -import no.nav.common.token_client.client.TokenXOnBehalfOfTokenClient import no.nav.mulighetsrommet.env.NaisEnv import java.security.KeyPairGenerator import java.security.interfaces.RSAPrivateKey @@ -39,7 +37,6 @@ fun interface M2MTokenProvider { * spør igjen for å hente det cachede tokenet. */ class CachedTokenProvider( - private val tokenXTokenProvider: TokenXOnBehalfOfTokenClient, private val oboTokenProvider: OnBehalfOfTokenClient, private val m2MTokenProvider: MachineToMachineTokenClient, ) { @@ -52,7 +49,6 @@ class CachedTokenProvider( companion object { fun init(clientId: String, tokenEndpointUrl: String): CachedTokenProvider { return CachedTokenProvider( - tokenXTokenProvider = createTokenXTokenClient(clientId), oboTokenProvider = createOboTokenClient(clientId, tokenEndpointUrl), m2MTokenProvider = createM2mTokenClient(clientId, tokenEndpointUrl), ) @@ -75,7 +71,6 @@ class CachedTokenProvider( private fun exchangeAsync(scope: String, accessType: AccessType): Deferred { return CoroutineScope(Dispatchers.IO).async { when (accessType) { - is AccessType.TOKENX -> tokenXTokenProvider.exchangeOnBehalfOfToken(scope, accessType.token) AccessType.M2M -> m2MTokenProvider.createMachineToMachineToken(scope) is AccessType.OBO -> oboTokenProvider.exchangeOnBehalfOfToken(scope, accessType.token) } @@ -96,17 +91,6 @@ private fun AccessType.subject(): String = throw IllegalArgumentException("Unable to get subject, access token is invalid") } } - - is AccessType.TOKENX -> { - try { - val token = JWTParser.parse(this.token) - val subject = token.jwtClaimsSet.subject - ?: throw IllegalArgumentException("Unable to get subject, access token is missing subject") - subject - } catch (e: ParseException) { - throw IllegalArgumentException("Unable to get subject, access token is invalid") - } - } } private fun createOboTokenClient(clientId: String, tokenEndpointUrl: String): OnBehalfOfTokenClient = @@ -131,38 +115,6 @@ private fun createM2mTokenClient(clientId: String, tokenEndpointUrl: String): Ma else -> AzureAdTokenClientBuilder.builder().withNaisDefaults().buildMachineToMachineTokenClient() } -fun createTokenXTokenClient(clientId: String): TokenXOnBehalfOfTokenClient = - when (NaisEnv.current()) { - NaisEnv.Local -> TokenXTokenClientBuilder.builder() - .withClientId(clientId) - .withPrivateJwk(createMockRSAKey("azure").toJSONString()) - .buildOnBehalfOfTokenClient() - - else -> TokenXTokenClientBuilder.builder().withNaisDefaults().buildOnBehalfOfTokenClient() - } - -fun createMaskinportenM2mTokenClient( - clientId: String, - tokenEndpointUrl: String, - issuer: String, -): MaskinPortenTokenProvider? = - when (NaisEnv.current()) { - NaisEnv.Local -> MaskinPortenTokenProvider( - clientId = clientId, - tokenEndpointUrl = tokenEndpointUrl, - privateJwk = createMockRSAKey("maskinporten").toJSONString(), - issuer = issuer, - ) - - NaisEnv.ProdGCP -> null // TODO: Remove when prod - else -> MaskinPortenTokenProvider( - clientId = clientId, - tokenEndpointUrl = tokenEndpointUrl, - privateJwk = System.getenv("MASKINPORTEN_CLIENT_JWK"), - issuer = issuer, - ) - } - private fun createMockRSAKey(keyID: String): RSAKey = KeyPairGenerator .getInstance("RSA").let { it.initialize(2048) diff --git a/mulighetsrommet-api/build.gradle.kts b/mulighetsrommet-api/build.gradle.kts index 5c67e1ed17..e34c1ee372 100644 --- a/mulighetsrommet-api/build.gradle.kts +++ b/mulighetsrommet-api/build.gradle.kts @@ -99,6 +99,13 @@ dependencies { implementation(libs.nav.common.auditLog) implementation(libs.nav.common.client) + implementation(libs.nav.common.tokenClient) + constraints { + implementation("net.minidev:json-smart:2.5.1") { + because("sikkerhetshull i transitiv avhengighet rapportert via snyk") + } + } + // Dependency injection implementation(libs.koin.ktor) implementation(libs.koin.logger.slf4j) diff --git a/mulighetsrommet-api/src/main/kotlin/no/nav/mulighetsrommet/altinn/AltinnClient.kt b/mulighetsrommet-api/src/main/kotlin/no/nav/mulighetsrommet/altinn/AltinnClient.kt index bafca87135..4b18241bbf 100644 --- a/mulighetsrommet-api/src/main/kotlin/no/nav/mulighetsrommet/altinn/AltinnClient.kt +++ b/mulighetsrommet-api/src/main/kotlin/no/nav/mulighetsrommet/altinn/AltinnClient.kt @@ -10,16 +10,13 @@ import io.ktor.http.* import kotlinx.serialization.Serializable import no.nav.mulighetsrommet.altinn.models.AltinnRessurs import no.nav.mulighetsrommet.altinn.models.BedriftRettigheter -import no.nav.mulighetsrommet.domain.dto.NorskIdent import no.nav.mulighetsrommet.domain.dto.Organisasjonsnummer import no.nav.mulighetsrommet.ktor.clients.httpJsonClient -import no.nav.mulighetsrommet.tokenprovider.AccessType -import no.nav.mulighetsrommet.tokenprovider.TokenProvider import org.slf4j.LoggerFactory class AltinnClient( private val baseUrl: String, - private val tokenProvider: TokenProvider, + private val tokenProvider: (token: String) -> String, clientEngine: HttpClientEngine = CIO.create(), ) { private val log = LoggerFactory.getLogger(javaClass) @@ -32,30 +29,29 @@ class AltinnClient( val scope: String, ) - suspend fun hentRettigheter(): List { - log.info("Henter organisasjoner fra Altinn") - val tilganger = hentTilganger() - return findAltinnRoller(tilganger) + suspend fun hentRettigheter(token: String): List { + log.info("Henter rettigheter fra Altinn for bruker via Team Fager") + val tilganger = hentTilganger(token) + return sjekkTilganger(tilganger) } - private fun findAltinnRoller( - bedriftsrettigheter: List, - ): List = - bedriftsrettigheter - .flatMap { rettighet -> - findAltinnRoller(rettighet.) + - BedriftRettigheter( - organisasjonsnummer = Organisasjonsnummer(rettighet.organizationNumber), - rettigheter = AltinnRessurs - .entries - .filter { it.ressursId in rettighet.authorizedResources }, - ) + fun sjekkTilganger(tilganger: Tilgangshierarki): List { + val result = mutableListOf() + + fun checkTilganger(org: TilgangForOrganisasjon) { + if (AltinnRessurs.TILTAK_ARRANGOR_REFUSJON.ressursId in org.altinn3Tilganger) { + result.add(BedriftRettigheter(Organisasjonsnummer(org.orgnr), listOf(AltinnRessurs.TILTAK_ARRANGOR_REFUSJON))) } - .filter { it.rettigheter.isNotEmpty() } + org.underenheter.forEach { checkTilganger(it) } + } + + tilganger.hierarki.forEach { checkTilganger(it) } + return result + } - private suspend fun hentTilganger(): Tilgangshierarki { + private suspend fun hentTilganger(token: String): Tilgangshierarki { val response = client.post("$baseUrl/altinn-tilganger") { - bearerAuth(tokenProvider.exchange(AccessType.M2M)) + bearerAuth(tokenProvider.invoke(token)) header(HttpHeaders.ContentType, ContentType.Application.Json) } diff --git a/mulighetsrommet-api/src/main/kotlin/no/nav/mulighetsrommet/altinn/AltinnRettigheterService.kt b/mulighetsrommet-api/src/main/kotlin/no/nav/mulighetsrommet/altinn/AltinnRettigheterService.kt index b7df6e5d4d..2f4d0acce8 100644 --- a/mulighetsrommet-api/src/main/kotlin/no/nav/mulighetsrommet/altinn/AltinnRettigheterService.kt +++ b/mulighetsrommet-api/src/main/kotlin/no/nav/mulighetsrommet/altinn/AltinnRettigheterService.kt @@ -11,17 +11,17 @@ class AltinnRettigheterService( ) { private val rolleExpiryDuration = Duration.ofDays(1) - suspend fun getRettigheter(norskIdent: NorskIdent): List { + suspend fun getRettigheter(token: String, norskIdent: NorskIdent): List { val bedriftRettigheter = altinnRettigheterRepository.getRettigheter(norskIdent) return if (bedriftRettigheter.isEmpty() || bedriftRettigheter.any { it.rettigheter.any { it.expiry.isBefore(LocalDateTime.now()) } }) { - syncRettigheter(norskIdent) + syncRettigheter(token, norskIdent) } else { bedriftRettigheter.map { it.toBedriftRettigheter() } } } - private suspend fun syncRettigheter(norskIdent: NorskIdent): List { - val rettigheter = altinnClient.hentRettigheter() + private suspend fun syncRettigheter(token: String, norskIdent: NorskIdent): List { + val rettigheter = altinnClient.hentRettigheter(token) altinnRettigheterRepository.upsertRettighet( PersonBedriftRettigheter( norskIdent = norskIdent, diff --git a/mulighetsrommet-api/src/main/kotlin/no/nav/mulighetsrommet/api/Config.kt b/mulighetsrommet-api/src/main/kotlin/no/nav/mulighetsrommet/api/Config.kt index 19a231b6d8..bb830f07e0 100644 --- a/mulighetsrommet-api/src/main/kotlin/no/nav/mulighetsrommet/api/Config.kt +++ b/mulighetsrommet-api/src/main/kotlin/no/nav/mulighetsrommet/api/Config.kt @@ -90,7 +90,8 @@ data class AuthProvider( val issuer: String, val jwksUri: String, val audience: String, - val tokenEndpointUrl: String, + val tokenEndpointUrl: String? = null, + val wellKnownUrl: String? = null, ) data class ServiceClientConfig( diff --git a/mulighetsrommet-api/src/main/kotlin/no/nav/mulighetsrommet/api/plugins/Authentication.kt b/mulighetsrommet-api/src/main/kotlin/no/nav/mulighetsrommet/api/plugins/Authentication.kt index 34d94cd0e3..365bbaa083 100644 --- a/mulighetsrommet-api/src/main/kotlin/no/nav/mulighetsrommet/api/plugins/Authentication.kt +++ b/mulighetsrommet-api/src/main/kotlin/no/nav/mulighetsrommet/api/plugins/Authentication.kt @@ -15,6 +15,7 @@ import no.nav.mulighetsrommet.domain.dto.NavIdent import no.nav.mulighetsrommet.domain.dto.NorskIdent import no.nav.mulighetsrommet.domain.dto.Organisasjonsnummer import no.nav.mulighetsrommet.ktor.exception.StatusException +import no.nav.mulighetsrommet.ktor.extensions.getAccessToken import org.koin.ktor.ext.inject import java.net.URI import java.util.* @@ -262,11 +263,12 @@ fun Application.configureAuthentication( } validate { credentials -> credentials["pid"] ?: return@validate null + val token = getAccessToken() val norskIdent = credentials["pid"]?.let { runCatching { NorskIdent(it) }.getOrNull() } ?: return@validate null - val organisasjonsnummer = altinnRettigheterService.getRettigheter(norskIdent) + val organisasjonsnummer = altinnRettigheterService.getRettigheter(token, norskIdent) .filter { it.rettigheter.contains(AltinnRessurs.TILTAK_ARRANGOR_REFUSJON) } diff --git a/mulighetsrommet-api/src/main/kotlin/no/nav/mulighetsrommet/api/plugins/DependencyInjection.kt b/mulighetsrommet-api/src/main/kotlin/no/nav/mulighetsrommet/api/plugins/DependencyInjection.kt index 62efb51e30..f6b3f77503 100644 --- a/mulighetsrommet-api/src/main/kotlin/no/nav/mulighetsrommet/api/plugins/DependencyInjection.kt +++ b/mulighetsrommet-api/src/main/kotlin/no/nav/mulighetsrommet/api/plugins/DependencyInjection.kt @@ -1,6 +1,8 @@ package no.nav.mulighetsrommet.api.plugins import com.github.kagkarlsson.scheduler.Scheduler +import com.nimbusds.jose.jwk.KeyUse +import com.nimbusds.jose.jwk.RSAKey import io.ktor.server.application.* import kotlinx.coroutines.runBlocking import no.nav.common.client.axsys.AxsysClient @@ -8,6 +10,8 @@ import no.nav.common.client.axsys.AxsysV2ClientImpl import no.nav.common.kafka.producer.util.KafkaProducerClientBuilder import no.nav.common.kafka.util.KafkaPropertiesBuilder import no.nav.common.kafka.util.KafkaPropertiesPreset +import no.nav.common.token_client.builder.TokenXTokenClientBuilder +import no.nav.common.token_client.client.TokenXOnBehalfOfTokenClient import no.nav.mulighetsrommet.altinn.AltinnClient import no.nav.mulighetsrommet.altinn.AltinnRettigheterRepository import no.nav.mulighetsrommet.altinn.AltinnRettigheterService @@ -71,6 +75,9 @@ import org.koin.core.module.Module import org.koin.dsl.module import org.koin.ktor.plugin.KoinIsolated import org.koin.logger.SLF4JLogger +import java.security.KeyPairGenerator +import java.security.interfaces.RSAPrivateKey +import java.security.interfaces.RSAPublicKey fun Application.configureDependencyInjection(appConfig: AppConfig) { install(KoinIsolated) { @@ -185,7 +192,8 @@ private fun repositories() = module { private fun services(appConfig: AppConfig) = module { val azure = appConfig.auth.azure - val cachedTokenProvider = CachedTokenProvider.init(azure.audience, azure.tokenEndpointUrl) + val cachedTokenProvider = CachedTokenProvider.init(azure.audience, requireNotNull(azure.tokenEndpointUrl)) + val tokenXTokenProvider = createTokenXTokenClient(requireNotNull(appConfig.auth.tokenx.wellKnownUrl)) single { VeilarboppfolgingClient( @@ -274,7 +282,7 @@ private fun services(appConfig: AppConfig) = module { AltinnClient( baseUrl = appConfig.altinn.url, clientEngine = appConfig.engine, - tokenProvider = cachedTokenProvider.withScope(appConfig.altinn.scope), + tokenProvider = { tokenXTokenProvider.exchangeOnBehalfOfToken(appConfig.altinn.scope, it) }, ) } single { EndringshistorikkService(get()) } @@ -421,3 +429,26 @@ private fun tasks(config: TaskConfig) = module { .build() } } + +fun createTokenXTokenClient(discoveryUrl: String): TokenXOnBehalfOfTokenClient = + when (NaisEnv.current()) { + NaisEnv.Local -> TokenXTokenClientBuilder.builder() + .withDiscoveryUrl(discoveryUrl) + .withClientId("mulighetsrommet-api") + .withPrivateJwk(createMockRSAKey("tokenx").toJSONString()) + .buildOnBehalfOfTokenClient() + + else -> TokenXTokenClientBuilder.builder().withNaisDefaults().buildOnBehalfOfTokenClient() + } + +private fun createMockRSAKey(keyID: String): RSAKey = KeyPairGenerator + .getInstance("RSA").let { + it.initialize(2048) + it.generateKeyPair() + }.let { + RSAKey.Builder(it.public as RSAPublicKey) + .privateKey(it.private as RSAPrivateKey) + .keyUse(KeyUse.SIGNATURE) + .keyID(keyID) + .build() + } diff --git a/mulighetsrommet-api/src/test/kotlin/no/nav/mulighetsrommet/altinn/AltinnClientTest.kt b/mulighetsrommet-api/src/test/kotlin/no/nav/mulighetsrommet/altinn/AltinnClientTest.kt index 1a02792503..e5d427ad5a 100644 --- a/mulighetsrommet-api/src/test/kotlin/no/nav/mulighetsrommet/altinn/AltinnClientTest.kt +++ b/mulighetsrommet-api/src/test/kotlin/no/nav/mulighetsrommet/altinn/AltinnClientTest.kt @@ -2,59 +2,78 @@ package no.nav.mulighetsrommet.altinn import io.kotest.core.spec.style.FunSpec import io.kotest.matchers.collections.shouldHaveSize -import no.nav.mulighetsrommet.domain.dto.NorskIdent import no.nav.mulighetsrommet.ktor.createMockEngine import no.nav.mulighetsrommet.ktor.respondJson class AltinnClientTest : FunSpec({ val altinnResponse = """ - [ - { - "name": "LAGSPORT PLUTSELIG", - "organizationNumber": "123456789", - "type": "Person", - "authorizedResources": [], - "subunits": [] - }, - { - "name": "NONFIGURATIV KOMFORTABEL HUND DA", - "type": "Organization", - "organizationNumber": "999987004", - "authorizedResources": [], - "subunits": [ - { - "name": "UEMOSJONELL KREATIV TIGER AS", - "type": "Organization", - "organizationNumber": "211267232", - "authorizedResources": ["tiltak-arrangor-refusjon"], - "subunits": [] - } - ] - }, - { - "name": "FRYKTLØS OPPSTEMT STRUTS LTD", - "type": "Organization", - "organizationNumber": "312899485", - "authorizedResources": ["tiltak-arrangor-refusjon"], - "subunits": [] - } - ] + { + "isError": false, + "hierarki": [ + { + "orgnr": "314048814", + "altinn3Tilganger": [], + "altinn2Tilganger": [], + "underenheter": [ + { + "orgnr": "211267232", + "altinn3Tilganger": [ + "tiltak-arrangor-refusjon" + ], + "altinn2Tilganger": [], + "underenheter": [], + "navn": "UEMOSJONELL KREATIV TIGER AS", + "organisasjonsform": "BEDR", + "orgNr": "211267232", + "name": "UEMOSJONELL KREATIV TIGER AS", + "organizationForm": "BEDR" + } + ], + "navn": "UEMOSJONELL KREATIV TIGER AS", + "organisasjonsform": "AS", + "orgNr": "314048814", + "name": "UEMOSJONELL KREATIV TIGER AS", + "organizationForm": "AS" + }, + { + "orgnr": "312899485", + "altinn3Tilganger": [ + "tiltak-arrangor-refusjon" + ], + "altinn2Tilganger": [], + "underenheter": [], + "navn": "FRYKTLØS OPPSTEMT STRUTS LTD", + "organisasjonsform": "NUF", + "orgNr": "312899485", + "name": "FRYKTLØS OPPSTEMT STRUTS LTD", + "organizationForm": "NUF" + } + ], + "orgNrTilTilganger": { + "211267232": [ + "tiltak-arrangor-refusjon" + ] + }, + "tilgangTilOrgNr": { + "tiltak-arrangor-refusjon": [ + "211267232" + ] + } +} """.trimIndent() test("hentAlleOrganisasjoner 1 tilgang - kun et kall til Altinn") { val altinnClient = AltinnClient( "https://altinn.no", - altinnApiKey = "api-key", tokenProvider = { "token" }, createMockEngine( - "/accessmanagement/api/v1/resourceowner/authorizedparties?includeAltinn2=true" to { + "/altinn-tilganger" to { respondJson(altinnResponse) }, ), ) - val norskIdent = NorskIdent("12345678901") - val organisasjoner = altinnClient.hentRettigheter(norskIdent) + val organisasjoner = altinnClient.hentRettigheter("token") organisasjoner shouldHaveSize 2 } diff --git a/mulighetsrommet-api/src/test/kotlin/no/nav/mulighetsrommet/api/ApplicationTestConfig.kt b/mulighetsrommet-api/src/test/kotlin/no/nav/mulighetsrommet/api/ApplicationTestConfig.kt index 83612682ce..9671543901 100644 --- a/mulighetsrommet-api/src/test/kotlin/no/nav/mulighetsrommet/api/ApplicationTestConfig.kt +++ b/mulighetsrommet-api/src/test/kotlin/no/nav/mulighetsrommet/api/ApplicationTestConfig.kt @@ -108,9 +108,8 @@ fun createTestApplicationConfig() = AppConfig( baseUrl = "", ), altinn = AltinnClient.Config( - url = "altinn-acl", + url = "", scope = "default", - apiKey = "apiKey", ), ) @@ -153,18 +152,21 @@ fun createAuthConfig( audience = audience, jwksUri = oauth?.jwksUrl(issuer)?.toUri()?.toString() ?: "http://localhost", tokenEndpointUrl = oauth?.tokenEndpointUrl(issuer)?.toString() ?: "http://localhost", + wellKnownUrl = null, ), roles = roles, tokenx = AuthProvider( issuer = oauth?.issuerUrl(issuer)?.toString() ?: issuer, audience = audience, - jwksUri = oauth?.jwksUrl(issuer)?.toUri()?.toString() ?: "http://localhost", - tokenEndpointUrl = oauth?.tokenEndpointUrl(issuer)?.toString() ?: "http://localhost", + jwksUri = oauth?.jwksUrl(issuer)?.toUri()?.toString() ?: "http://localhost:8081", + tokenEndpointUrl = null, + wellKnownUrl = oauth?.wellKnownUrl(issuer)?.toString() ?: "http://localhost:8081/tokenx/.well-known/openid-configuration", ), maskinporten = AuthProvider( issuer = oauth?.issuerUrl(issuer)?.toString() ?: issuer, audience = audience, jwksUri = oauth?.jwksUrl(issuer)?.toUri()?.toString() ?: "http://localhost", tokenEndpointUrl = oauth?.tokenEndpointUrl(issuer)?.toString() ?: "http://localhost", + wellKnownUrl = null, ), )