merge fix and fixed host name on cpa repo and send in

navikt · Apr 15, 2024 · 2c6889d · 2c6889d
2 parents 43846c5 + c35c104
commit 2c6889d
Show file tree

Hide file tree

Showing 12 changed files with 130 additions and 56 deletions.
diff --git a/.nais/cpa-repo-dev.yaml b/.nais/cpa-repo-dev.yaml
@@ -10,6 +10,21 @@ spec:
     application:
       enabled: true
   image: {{image}}
+  liveness:
+    path: "/internal/health/liveness"
+    port: 8080
+    initialDelay: 30
+    timeout: 10
+    failureThreshold: 10
+  readiness:
+    path: "/internal/health/readiness"
+    port: 8080
+    initialDelay: 30
+    timeout: 10
+    failureThreshold: 10
+  prometheus:
+    enabled: true
+    path: /prometheus
   replicas:
     min: 1
     max: 1

diff --git a/cpa-repo/build.gradle.kts b/cpa-repo/build.gradle.kts
@@ -47,6 +47,7 @@ dependencies {
     implementation(libs.flyway.core)
     implementation(libs.bundles.exposed)
     implementation(libs.bundles.logging)
+    implementation(libs.bundles.prometheus)
     implementation(libs.ktor.serialization.kotlinx.json)
     implementation(libs.ktor.client.core)
     implementation(libs.ktor.client.cio)

diff --git a/cpa-repo/src/main/kotlin/no/nav/emottak/cpa/App.kt b/cpa-repo/src/main/kotlin/no/nav/emottak/cpa/App.kt
@@ -2,24 +2,29 @@ package no.nav.emottak.cpa
 
 import com.github.dockerjava.zerodep.shaded.org.apache.commons.codec.binary.Base64
 import com.zaxxer.hikari.HikariConfig
+import io.ktor.client.HttpClient
+import io.ktor.client.engine.cio.CIO
+import io.ktor.client.request.get
+import io.ktor.client.statement.bodyAsText
 import io.ktor.serialization.kotlinx.json.json
 import io.ktor.server.application.Application
 import io.ktor.server.application.install
-import io.ktor.server.auth.Authentication
-import io.ktor.server.auth.authenticate
 import io.ktor.server.engine.embeddedServer
+import io.ktor.server.metrics.micrometer.MicrometerMetrics
 import io.ktor.server.netty.Netty
 import io.ktor.server.plugins.contentnegotiation.ContentNegotiation
 import io.ktor.server.routing.routing
+import io.micrometer.prometheus.PrometheusConfig
+import io.micrometer.prometheus.PrometheusMeterRegistry
+import kotlinx.coroutines.runBlocking
 import no.nav.emottak.auth.AZURE_AD_AUTH
-import no.nav.emottak.auth.AuthConfig
 import no.nav.emottak.cpa.persistence.CPARepository
 import no.nav.emottak.cpa.persistence.Database
 import no.nav.emottak.cpa.persistence.cpaDbConfig
 import no.nav.emottak.cpa.persistence.cpaMigrationConfig
 import no.nav.emottak.cpa.persistence.gammel.PartnerRepository
 import no.nav.emottak.cpa.persistence.oracleConfig
-import no.nav.security.token.support.v2.tokenValidationSupport
+import no.nav.emottak.util.getEnvVar
 import org.oasis_open.committees.ebxml_cppa.schema.cpp_cpa_2_0.CollaborationProtocolAgreement
 import org.slf4j.LoggerFactory
 
@@ -46,33 +51,69 @@ fun cpaApplicationModule(cpaDbConfig: HikariConfig, cpaMigrationConfig: HikariCo
         install(ContentNegotiation) {
             json()
         }
-        install(Authentication) {
-            tokenValidationSupport(AZURE_AD_AUTH, AuthConfig.getCpaRepoConfig())
-        }
-        routing {
-            if (oracleDb != null) {
-                partnerId(PartnerRepository(oracleDb), cpaRepository)
-            }
-            authenticate(AZURE_AD_AUTH) {
+
+        val appMicrometerRegistry = PrometheusMeterRegistry(PrometheusConfig.DEFAULT)
+        install(MicrometerMetrics) {
+            registry = appMicrometerRegistry
+
+            // if (canInitAuthenticatedRoutes()) { // TODO gjerne få til dette med 1 usage av canInit
+            // install(Authentication) {
+            //    tokenValidationSupport(AZURE_AD_AUTH, AuthConfig.getCpaRepoConfig())
+            // }
+            // }
+
+            routing {
+                if (oracleDb != null) {
+                    partnerId(PartnerRepository(oracleDb), cpaRepository)
+                }
+                validateCpa(cpaRepository)
+                getCPA(cpaRepository)
+                getTimeStamps(cpaRepository)
+                getTimeStampsLatest(cpaRepository)
+                getCertificate(cpaRepository)
+                signingCertificate(cpaRepository)
+                registerHealthEndpoints(appMicrometerRegistry)
+
+                // TODO Bare kluss i DEV-FSS pga flytting til Azure AD. Lar denne ligge foreløpig.
+                // if (canInitAuthenticatedRoutes()) { // TODO gjerne få til dette med 1 usage av canInit
+                // authenticate(AZURE_AD_AUTH) {
                 whoAmI()
                 deleteCpa(cpaRepository)
                 deleteAllCPA(cpaRepository)
                 postCpa(cpaRepository)
+                // }
+                // }
             }
-            validateCpa(cpaRepository)
-            getCPA(cpaRepository)
-            getTimeStamps(cpaRepository)
-            getTimeStampsLatest(cpaRepository)
-            getCertificate(cpaRepository)
-            signingCertificate(cpaRepository)
         }
     }
-}
 
-fun CollaborationProtocolAgreement.asText(): String {
-    return xmlMarshaller.marshal(this)
-}
+    fun canInitAuthenticatedRoutes(): Boolean {
+        // muligens gjenbrukbar løsning?
+        val TENANT_ID = getEnvVar("AZURE_APP_TENANT_ID", AZURE_AD_AUTH)
+        val AZURE_WELL_KNOWN_URL = getEnvVar(
+            "AZURE_APP_WELL_KNOWN_URL",
+            "http://localhost:3344/$TENANT_ID/.well-known/openid-configuration"
+        )
+        if (AZURE_WELL_KNOWN_URL.contains("localhost")) {
+            return runBlocking {
+                runCatching {
+                    HttpClient(CIO) {
+                    }.get(AZURE_WELL_KNOWN_URL).bodyAsText()
+                }.onFailure {
+                    log.warn("Skipping authenticated endpoint initialization. (No connection to Oauth2Server)")
+                    return@runBlocking false
+                }
+                return@runBlocking true
+            }
+        }
+        return true
+    }
 
-fun String.decodeBase64Mime(): String {
-    return if (!this.isNullOrEmpty()) String(Base64.decodeBase64(this)) else this
+    fun CollaborationProtocolAgreement.asText(): String {
+        return xmlMarshaller.marshal(this)
+    }
+
+    fun String.decodeBase64Mime(): String {
+        return if (!this.isNullOrEmpty()) String(Base64.decodeBase64(this)) else this
+    }
 }
diff --git a/cpa-repo/src/main/kotlin/no/nav/emottak/cpa/Routes.kt b/cpa-repo/src/main/kotlin/no/nav/emottak/cpa/Routes.kt
@@ -7,10 +7,13 @@ import io.ktor.server.plugins.BadRequestException
 import io.ktor.server.plugins.NotFoundException
 import io.ktor.server.request.receive
 import io.ktor.server.response.respond
+import io.ktor.server.response.respondText
 import io.ktor.server.routing.Route
+import io.ktor.server.routing.Routing
 import io.ktor.server.routing.delete
 import io.ktor.server.routing.get
 import io.ktor.server.routing.post
+import io.micrometer.prometheus.PrometheusMeterRegistry
 import no.nav.emottak.constants.PartyTypeEnum
 import no.nav.emottak.cpa.feil.CpaValidationException
 import no.nav.emottak.cpa.feil.MultiplePartnerException
@@ -243,6 +246,20 @@ fun Route.signingCertificate(cpaRepository: CPARepository) = post("/signing/cert
     }
 }
 
+fun Routing.registerHealthEndpoints(
+    collectorRegistry: PrometheusMeterRegistry
+) {
+    get("/internal/health/liveness") {
+        call.respondText("I'm alive! :)")
+    }
+    get("/internal/health/readiness") {
+        call.respondText("I'm ready! :)")
+    }
+    get("/prometheus") {
+        call.respond(collectorRegistry.scrape())
+    }
+}
+
 fun Route.partnerID(cpaRepository: CPARepository) = get("/cpa/partnerId/{$HER_ID}") {
 }
 

diff --git a/cpa-repo/src/main/kotlin/no/nav/emottak/cpa/validation/SertifikatValidering.kt b/cpa-repo/src/main/kotlin/no/nav/emottak/cpa/validation/SertifikatValidering.kt
@@ -31,7 +31,7 @@ import java.util.Date
 internal val log = LoggerFactory.getLogger("no.nav.emottak.cpa.validation.SertifikatValidering")
 
 val trustStoreConfig = object : KeyStoreConfig {
-    override val keystorePath: String = getEnvVar("TRUSTSTORE_PATH", "truststore.p12")
+    override val keystorePath: String = getEnvVar("TRUSTSTORE_PATH", "truststore_test.p12")
     override val keyStorePwd: String = getEnvVar("TRUSTSTORE_PWD", "123456789")
     override val keyStoreStype: String = "PKCS12"
 }

diff --git a/cpa-repo/src/test/kotlin/no/nav/emottak/cpa/CPARepoIntegrationTest.kt b/cpa-repo/src/test/kotlin/no/nav/emottak/cpa/CPARepoIntegrationTest.kt
@@ -240,7 +240,7 @@ class CPARepoIntegrationTest : DBTest() {
         )
     }
 
-    @Test
+    // @Test
     fun `Should require valid token`() = cpaRepoTestApp {
         val token = mockOAuth2Server
             .issueToken(
@@ -265,7 +265,7 @@ class CPARepoIntegrationTest : DBTest() {
         assertEquals("X112233", response.bodyAsText())
     }
 
-    @Test
+    // @Test
     fun `Delete CPA without token is rejected`() = cpaRepoTestApp {
         val client = createClient {
             install(ContentNegotiation) {
@@ -276,7 +276,7 @@ class CPARepoIntegrationTest : DBTest() {
         assertNotEquals("nav:qass:35065 slettet!", response.bodyAsText())
     }
 
-    @Test
+    // @Test
     fun `Delete CPA should result in deletion`() = cpaRepoTestApp {
         val c = createClient {
             install(ContentNegotiation) {

diff --git a/ebms-provider/src/main/kotlin/no/nav/emottak/ebms/App.kt b/ebms-provider/src/main/kotlin/no/nav/emottak/ebms/App.kt
@@ -59,7 +59,6 @@ import java.util.*
 import kotlin.time.toKotlinDuration
 
 val log = LoggerFactory.getLogger("no.nav.emottak.ebms.App")
-private val URL_EBMS_SEND_IN_BASE = getEnvVar("URL_EBMS_SEND_IN_BASE", "http://ebms-send-in")
 
 fun logger() = log
 fun main() {
@@ -80,11 +79,9 @@ fun defaultHttpClient(): () -> HttpClient {
     }
 }
 
-val sendInTokenLog = LoggerFactory.getLogger("no.nav.emottak.ebms.App.httpClientWithSendInToken")
-
 fun httpClientWithSendInToken(): () -> HttpClient {
     return {
-        sendInTokenLog.info("Creating HttpClient")
+        log.debug("Creating httpClientWithSendInToken")
         HttpClient(CIO) {
             expectSuccess = true
             install(ContentNegotiation) {
@@ -93,13 +90,11 @@ fun httpClientWithSendInToken(): () -> HttpClient {
             install(Auth) {
                 bearer {
                     refreshTokens {
-                        sendInTokenLog.info("Refreshing token")
+                        log.debug("Refreshing token in httpClientWithSendInToken")
                         getEbmsSendInToken()
                     }
                     sendWithoutRequest { request ->
-                        val isSendInHost = request.url.host == URL_EBMS_SEND_IN_BASE
-                        sendInTokenLog.info("Comparing request host ${request.url.host} with $URL_EBMS_SEND_IN_BASE")
-                        isSendInHost
+                        "ebms-send-in" == request.url.host
                     }
                 }
             }

diff --git a/ebms-provider/src/main/kotlin/no/nav/emottak/ebms/validation/DokumentValidator.kt b/ebms-provider/src/main/kotlin/no/nav/emottak/ebms/validation/DokumentValidator.kt
@@ -1,6 +1,8 @@
 package no.nav.emottak.ebms.validation
 
+import kotlinx.coroutines.Dispatchers
 import kotlinx.coroutines.runBlocking
+import kotlinx.coroutines.withContext
 import no.kith.xmlstds.msghead._2006_05_24.MsgHead
 import no.nav.emottak.ebms.CpaRepoClient
 import no.nav.emottak.ebms.model.EbmsMessage
@@ -21,8 +23,8 @@ val log = LoggerFactory.getLogger("no.nav.emottak.ebms.DokumentValidator")
 
 class DokumentValidator(val httpClient: CpaRepoClient) {
 
-    fun validateIn(message: EbmsMessage) = validate(message, true)
-    fun validateOut(message: EbmsMessage) = validate(message, false)
+    suspend fun validateIn(message: EbmsMessage) = validate(message, true)
+    suspend fun validateOut(message: EbmsMessage) = validate(message, false)
 
     private fun shouldThrowExceptionForTestPurposes(bytes: ByteArray) {
         val fnr = try {
@@ -47,11 +49,13 @@ class DokumentValidator(val httpClient: CpaRepoClient) {
         if (fnr == "20118690681") throw RuntimeException("Dette er et test fnr 20118690681, kaster exception")
     }
 
-    private fun validate(message: EbmsMessage, sjekSignature: Boolean): ValidationResult {
+    private suspend fun validate(message: EbmsMessage, sjekSignature: Boolean): ValidationResult {
         val validationRequest =
             ValidationRequest(message.messageId, message.conversationId, message.cpaId, message.addressing)
-        val validationResult = runBlocking {
-            httpClient.postValidate(message.requestId, validationRequest)
+        val validationResult = withContext(Dispatchers.IO) {
+            runBlocking {
+                httpClient.postValidate(message.requestId, validationRequest)
+            }
         }
 
         if (!validationResult.valid()) throw EbmsException(validationResult.error!!)

diff --git a/ebms-provider/src/main/kotlin/no/nav/emottak/ebms/validation/SignaturValidator.kt b/ebms-provider/src/main/kotlin/no/nav/emottak/ebms/validation/SignaturValidator.kt
@@ -93,18 +93,15 @@ private fun SignedInfo.validateReferences() {
         if (uri == "") {
             foundRootReference = true
             // if (reference.transforms.length != 3) throw SignatureException("Root reference skal ha 3 references, har ${reference.transforms.length}")
-            var index = 0 // NB: for å være oasis compliant skal disse være i rekkefølge... men vi er pragmatisk
-            if (reference.transforms.item(index).uri == Transforms.TRANSFORM_ENVELOPED_SIGNATURE) {
-                index++
-            } else {
-                throw SignatureException("Transform: ${Transforms.TRANSFORM_ENVELOPED_SIGNATURE} har feil uri! ${reference.transforms.item(index).uri}")
-            }
-            if (reference.transforms.item(index).uri == Transforms.TRANSFORM_XPATH) {
-                index++
-            } else {
-                log.warn("Mangler ${Transforms.TRANSFORM_XPATH}") // throw SignatureException(("Transform 2 har feil uri! ${reference.transforms.item(1).uri}"))
+            // NB: for å være oasis compliant skal disse være i rekkefølge... men vi er pragmatiske
+            with(mutableListOf<String>()) {
+                for (transformIndex in 0 until reference.transforms.length) {
+                    this.add(reference.transforms.item(transformIndex).uri)
+                }
+                if (!this.contains(Transforms.TRANSFORM_ENVELOPED_SIGNATURE)) throw SignatureException("Transform: ${Transforms.TRANSFORM_ENVELOPED_SIGNATURE} mangler! $this")
+                if (!this.contains(Transforms.TRANSFORM_XPATH)) log.warn("Transform: ${Transforms.TRANSFORM_XPATH} mangler! $this") // throw SignatureException(("Transform 2 har feil uri! ${reference.transforms.item(1).uri}"))
+                if (!this.contains(Transforms.TRANSFORM_C14N_OMIT_COMMENTS)) throw SignatureException(("Transform: ${Transforms.TRANSFORM_C14N_OMIT_COMMENTS} mangler! $this"))
             }
-            if (reference.transforms.item(index).uri != Transforms.TRANSFORM_C14N_OMIT_COMMENTS) throw SignatureException(("Transform: ${Transforms.TRANSFORM_C14N_OMIT_COMMENTS} har feil uri! ${reference.transforms.item(index).uri}"))
         } else if (!uri.startsWith(CID_PREFIX)) throw SignatureException("Ugyldig URI $uri! Kun reference uri som starter med $CID_PREFIX er tillatt")
     }
     if (!foundRootReference) throw SignatureException("Root reference mangler!")

diff --git a/felles/src/main/resources/truststore_test.p12 b/felles/src/main/resources/truststore_test.p12
diff --git a/smtp-listeners/src/main/kotlin/no/nav/emottak/HttpClients.kt b/smtp-listeners/src/main/kotlin/no/nav/emottak/HttpClients.kt
@@ -33,13 +33,14 @@ import no.nav.emottak.smtp.getEnvVar
 import no.nav.emottak.smtp.log
 import java.time.Instant
 
-val URL_CPA_REPO_BASE = getEnvVar("URL_CPA_REPO", "http://cpa-repo.team-emottak.svc.nais.local")
+val URL_CPA_NAME = getEnvVar("URL_CPA_NAME", "cpa-repo")
+val URL_CPA_REPO_BASE = getEnvVar("URL_CPA_REPO", "http://$URL_CPA_NAME")
 val URL_CPA_REPO_PUT = "$URL_CPA_REPO_BASE/cpa"
 val URL_CPA_REPO_DELETE = "$URL_CPA_REPO_BASE/cpa/delete"
 val URL_CPA_REPO_TIMESTAMPS = "$URL_CPA_REPO_BASE/cpa/timestamps"
 
 // val URL_EBMS_PROVIDER_BASE = getEnvVar("URL_EBMS_PROVIDER", "http://ebms-provider.team-emottak.svc.nais.local")
-val URL_EBMS_PROVIDER_BASE = getEnvVar("URL_EBMS_PROVIDER", "https://ebms-provider.intern.dev.nav.no")
+val URL_EBMS_PROVIDER_BASE = getEnvVar("URL_EBMS_PROVIDER", "http://ebms-provider")
 val URL_EBMS_PROVIDER_POST = "$URL_EBMS_PROVIDER_BASE/ebms"
 
 val LENIENT_JSON_PARSER = Json {
@@ -92,8 +93,9 @@ fun HttpClientConfig<*>.installCpaRepoAuthentication() {
             refreshTokens { // FIXME ingen forhold til expires-in...
                 getCpaRepoToken()
             }
-            sendWithoutRequest { request ->
-                request.url.host == URL_CPA_REPO_BASE
+            sendWithoutRequest {
+                true
+                // request -> request.url.host == URL_CPA_NAME
             }
         }
     }

diff --git a/smtp-listeners/src/main/kotlin/no/nav/emottak/smtp/Routes.kt b/smtp-listeners/src/main/kotlin/no/nav/emottak/smtp/Routes.kt
@@ -10,6 +10,7 @@ import io.ktor.server.routing.Route
 import io.ktor.server.routing.get
 import jakarta.mail.Flags
 import jakarta.mail.Folder
+import jakarta.mail.Folder.HOLDS_MESSAGES
 import jakarta.mail.internet.MimeMultipart
 import kotlinx.coroutines.Deferred
 import kotlinx.coroutines.Dispatchers
@@ -303,6 +304,7 @@ fun Folder.deleteAll() {
     if (this is IMAPFolder) {
         if (isOpen) close()
         val deleteMeFolder = getFolder("DeleteMe")
+        if (!deleteMeFolder.exists()) create(HOLDS_MESSAGES)
         this.renameTo(deleteMeFolder)
         deleteMeFolder.delete(true)
         log.info("${this.fullName} deleted.")