Azure mot pdl (#415)

* Bruke AzureAD token mot PDL
* Behandlingsnummer header

.github/workflows/deploy-branch.yml

@@ -45,6 +45,7 @@ jobs:
 
   deploy-branch:
     name: Deploy til dev
+    needs: bygg
     runs-on: ubuntu-latest
 
     steps:

nais/dev-fss.yaml

@@ -45,6 +45,9 @@ spec:
         kvPath: /serviceuser/data/dev/srvag-arbforhold
   tokenx:
     enabled: true
+  azure:
+    application:
+      enabled: true
   webproxy: true
   accessPolicy:
     inbound:
@@ -63,3 +66,6 @@ spec:
         - application: altinn-rettigheter-proxy
           namespace: arbeidsgiver
           cluster: dev-gcp
+        - application: pdl-api
+          namespace: pdl
+          cluster: dev-fss

nais/prod-fss.yaml

@@ -52,6 +52,9 @@ spec:
         kvPath: /serviceuser/data/prod/srvag-arbforhold
   tokenx:
     enabled: true
+  azure:
+    application:
+      enabled: true
   webproxy: true
   accessPolicy:
     inbound:
@@ -69,4 +72,7 @@ spec:
           cluster: prod-fss
         - application: altinn-rettigheter-proxy
           namespace: arbeidsgiver
-          cluster: prod-gcp
+          cluster: prod-gcp
+        - application: pdl-api
+          namespace: pdl
+          cluster: prod-fss

src/main/kotlin/no/nav/tag/innsynAareg/client/aareg/AaregClient.kt

@@ -2,18 +2,15 @@ package no.nav.tag.innsynAareg.client.aareg
 
 import no.nav.tag.innsynAareg.client.aareg.dto.OversiktOverArbeidsForhold
 import no.nav.tag.innsynAareg.client.aareg.dto.OversiktOverArbeidsgiver
-import no.nav.tag.innsynAareg.client.sts.STSClient
 import no.nav.tag.innsynAareg.models.ArbeidsforholdFunnet
 import no.nav.tag.innsynAareg.models.ArbeidsforholdOppslagResultat
 import no.nav.tag.innsynAareg.models.IngenRettigheter
 import no.nav.tag.innsynAareg.service.tokenExchange.TokenExchangeClient
-import no.nav.tag.innsynAareg.utils.AutentisertBruker
 import org.slf4j.LoggerFactory
 import org.springframework.beans.factory.annotation.Value
 import org.springframework.http.*
 import org.springframework.http.RequestEntity.method
 import org.springframework.stereotype.Component
-import org.springframework.stereotype.Service
 import org.springframework.web.client.HttpClientErrorException
 import org.springframework.web.client.RestTemplate
 

src/main/kotlin/no/nav/tag/innsynAareg/client/azure/AccessTokenResponse.kt

@@ -0,0 +1,10 @@
+package no.nav.tag.innsynAareg.client.azure
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties
+import com.fasterxml.jackson.annotation.JsonProperty
+
+@JsonIgnoreProperties(ignoreUnknown = true)
+class AccessTokenResponse(
+    @field:JsonProperty("expires_in") var expiresIn: Long,
+    @field:JsonProperty("access_token") var accessToken: String
+)

src/main/kotlin/no/nav/tag/innsynAareg/client/azure/AzureClient.kt

@@ -0,0 +1,78 @@
+package no.nav.tag.innsynAareg.client.azure
+
+import org.slf4j.LoggerFactory
+import org.springframework.beans.factory.annotation.Autowired
+import org.springframework.beans.factory.annotation.Value
+import org.springframework.http.HttpEntity
+import org.springframework.http.HttpHeaders
+import org.springframework.http.HttpMethod
+import org.springframework.http.MediaType
+import org.springframework.stereotype.Component
+import org.springframework.util.LinkedMultiValueMap
+import org.springframework.util.MultiValueMap
+import org.springframework.web.client.RestTemplate
+import java.time.LocalDateTime
+import java.util.*
+
+@Component
+class AzureClient @Autowired constructor(
+    @Value("\${azure.tokenUrl}") private val tokenUrl: String,
+    @Value("\${AZURE_APP_CLIENT_ID}") private val clientId: String,
+    @Value("\${AZURE_APP_CLIENT_SECRET}") private val clientSecret: String,
+    private val restTemplate: RestTemplate
+) {
+    private val log = LoggerFactory.getLogger(AzureClient::class.java)!!
+    private val tokens: LinkedHashMap<String, AzureToken> = LinkedHashMap()
+
+    fun getToken(scope: String): String {
+        if (!tokens.containsKey(scope)) {
+            updateToken(scope)
+        }
+        updateTokenIfNeeded(scope)
+        return tokens.getValue(scope).access_token
+    }
+
+    private fun updateTokenIfNeeded(scope: String) {
+        synchronized(this) {
+            val token = tokens.getValue(scope)
+            if (shouldRefresh(token.expires_in)) {
+                updateToken(scope)
+            }
+        }
+    }
+
+    private fun updateToken(scope: String) {
+        try {
+            val formParameters = formParameters(scope)
+
+            val headers = HttpHeaders()
+            headers.contentType = MediaType.APPLICATION_FORM_URLENCODED
+            headers.accept = listOf(MediaType.APPLICATION_JSON)
+            headers.setBasicAuth(clientId, clientSecret)
+
+            val requestEntity = HttpEntity<MultiValueMap<String, String>>(formParameters, headers)
+
+            val response =
+                restTemplate.exchange(tokenUrl, HttpMethod.POST, requestEntity, AccessTokenResponse::class.java).body!!
+
+            val token = AzureToken(response.accessToken, LocalDateTime.now().plusSeconds(response.expiresIn))
+
+            tokens[scope] = token
+        } catch (e: Exception) {
+            log.error("Feil ved henting av token fra Azure. $e", e)
+            throw RuntimeException("AG-ARBEIDSFORHOLD Klarte ikke hente token fra azure. $e", e)
+        }
+    }
+
+    private fun shouldRefresh(expiry: LocalDateTime): Boolean {
+        return Objects.isNull(expiry) || LocalDateTime.now().plusMinutes(1).isAfter(expiry)
+    }
+
+    private fun formParameters(scope: String): MultiValueMap<String, String> {
+        val formParameters: MultiValueMap<String, String> = LinkedMultiValueMap()
+        formParameters.add("grant_type", "client_credentials")
+        formParameters.add("scope", scope)
+
+        return formParameters
+    }
+}

src/main/kotlin/no/nav/tag/innsynAareg/client/azure/AzureToken.kt

@@ -0,0 +1,9 @@
+package no.nav.tag.innsynAareg.client.azure
+
+import java.time.LocalDateTime
+
+@Suppress("Unused") /* dto */
+data class AzureToken(
+    var access_token: String,
+    var expires_in: LocalDateTime
+)

src/main/kotlin/no/nav/tag/innsynAareg/client/pdl/PdlBatchClient.kt

@@ -1,6 +1,6 @@
 package no.nav.tag.innsynAareg.client.pdl
 
-import no.nav.tag.innsynAareg.client.sts.STSClient
+import no.nav.tag.innsynAareg.client.azure.AzureClient
 import org.slf4j.LoggerFactory
 import org.springframework.beans.factory.annotation.Autowired
 import org.springframework.beans.factory.annotation.Value
@@ -9,12 +9,14 @@ import org.springframework.http.HttpHeaders
 import org.springframework.http.MediaType
 import org.springframework.stereotype.Service
 import org.springframework.web.client.RestTemplate
+import java.net.URI
 
 @Service
 class PdlBatchClient @Autowired constructor(
     private val restTemplate: RestTemplate,
-    private val stsClient: STSClient,
-    @Value("\${pdl.pdlUrl}") private val pdlUrl: String
+    private val azureClient: AzureClient,
+    @Value("\${pdl.pdlUrl}") private val pdlUrl: String,
+    @Value("\${pdl.pdlScope}") private val pdlScope: String
 ) {
     private val log = LoggerFactory.getLogger(PdlBatchClient::class.java)!!
 
@@ -26,22 +28,21 @@ class PdlBatchClient @Autowired constructor(
                 .message
                 .toString()
                 .replace(Regex("""\d{11}"""), "***********")
-            log.error("AG-ARBEIDSFORHOLD feiler mot PDL: $msg")
+            log.error("AG-ARBEIDSFORHOLD feiler mot PDL: $msg , pdlUrl: $pdlUrl, pdlScope: $pdlScope")
+            log.error(exception.stackTraceToString())
             null
         }
     }
 
     private fun getBatchFraPdlInternal(fnrs: List<String>): HentPersonBolkResponse {
-        val stsToken: String = stsClient.token.access_token
-
         val headers = HttpHeaders()
         headers.contentType = MediaType.APPLICATION_JSON
         headers["Tema"] = "GEN"
-        headers["Nav-Consumer-Token"] = "Bearer $stsToken"
-        headers.setBearerAuth(stsToken)
+        headers["Behandlingsnummer"] = "B415"
+        headers.setBearerAuth(azureClient.getToken(pdlScope))
 
         return restTemplate.postForObject(
-            pdlUrl,
+            URI(pdlUrl),
             HttpEntity(
                 HentPersonBolkRequest(fnrs),
                 headers

src/main/kotlin/no/nav/tag/innsynAareg/mockserver/MockServer.kt

@@ -51,7 +51,8 @@ class MockServer @Autowired constructor(
     @Value("\${aareg.aaregArbeidsgivere}") private val aaregArbeidsgivereUrl: String,
     @Value("\${yrkeskodeverk.yrkeskodeUrl}") private val yrkeskodeUrl: String,
     @Value("\${pdl.pdlUrl}") private val pdlUrl: String,
-    @Value("\${ereg.url}") private val eregUrl: String
+    @Value("\${ereg.url}") private val eregUrl: String,
+    @Value("\${azure.tokenUrl}") private val azureTokenUrl: String
 ) {
 
     init {
@@ -93,6 +94,10 @@ class MockServer @Autowired constructor(
             willReturnJson(hentStringFraFil("STStoken.json"))
         }
 
+        stubForAny(urlPathMatching("${URL(azureTokenUrl).path}.*")) {
+            willReturnJson(hentStringFraFil("azure_token.json"))
+        }
+
         stubForAny(urlPathMatching("${URL(yrkeskodeUrl).path}.*")) {
             willReturnJson(hentStringFraFil("yrkeskoder.json"))
         }