From d0a54a222cdbbc31d72a3ad0f4944226ab9e8fa0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=98yvind=20N=2E=20Wed=C3=B8e?=
 <oyvind.norsted.wedoe@nav.no>
Date: Wed, 9 Oct 2024 10:52:24 +0200
Subject: [PATCH] Use system token towards klage-file-api. Access is ensured by
 checking token and klanke in this app.

---
 .../kotlin/no/nav/klage/clients/FileClient.kt    |  6 +++---
 src/main/kotlin/no/nav/klage/util/TokenUtil.kt   |  5 ++---
 src/main/resources/application.yml               | 16 ++++++----------
 3 files changed, 11 insertions(+), 16 deletions(-)

diff --git a/src/main/kotlin/no/nav/klage/clients/FileClient.kt b/src/main/kotlin/no/nav/klage/clients/FileClient.kt
index ead005fd..e8762087 100644
--- a/src/main/kotlin/no/nav/klage/clients/FileClient.kt
+++ b/src/main/kotlin/no/nav/klage/clients/FileClient.kt
@@ -30,7 +30,7 @@ class FileClient(
         val response = fileWebClient
             .post()
             .uri { it.path("/attachment").build() }
-            .header(HttpHeaders.AUTHORIZATION, "Bearer ${tokenUtil.getOnBehalfOfTokenWithKlageFileApiScope()}")
+            .header(HttpHeaders.AUTHORIZATION, "Bearer ${tokenUtil.getAppAccessTokenWithKlageFileApiScope()}")
             .body(BodyInserters.fromMultipartData(bodyBuilder.build()))
             .retrieve()
             .bodyToMono<VedleggResponse>()
@@ -47,7 +47,7 @@ class FileClient(
         logger.debug("Fetching vedlegg file with vedlegg ref {}", vedleggRef)
         return fileWebClient.get()
             .uri { it.path("/attachment/{id}").build(vedleggRef) }
-            .header(HttpHeaders.AUTHORIZATION, "Bearer ${tokenUtil.getOnBehalfOfTokenWithKlageFileApiScope()}")
+            .header(HttpHeaders.AUTHORIZATION, "Bearer ${tokenUtil.getAppAccessTokenWithKlageFileApiScope()}")
             .retrieve()
             .bodyToMono<ByteArray>()
             .block() ?: throw RuntimeException("Attachment could not be fetched")
@@ -57,7 +57,7 @@ class FileClient(
         logger.debug("Deleting vedlegg file with vedlegg ref {}", vedleggRef)
         val deletedInFileStore = fileWebClient.delete()
             .uri { it.path("/attachment/{id}").build(vedleggRef) }
-            .header(HttpHeaders.AUTHORIZATION, "Bearer ${tokenUtil.getOnBehalfOfTokenWithKlageFileApiScope()}")
+            .header(HttpHeaders.AUTHORIZATION, "Bearer ${tokenUtil.getAppAccessTokenWithKlageFileApiScope()}")
             .retrieve()
             .bodyToMono<Boolean>()
             .block()!!
diff --git a/src/main/kotlin/no/nav/klage/util/TokenUtil.kt b/src/main/kotlin/no/nav/klage/util/TokenUtil.kt
index 6c03cedf..7c891af8 100644
--- a/src/main/kotlin/no/nav/klage/util/TokenUtil.kt
+++ b/src/main/kotlin/no/nav/klage/util/TokenUtil.kt
@@ -72,9 +72,8 @@ class TokenUtil(
         return response.accessToken!!
     }
 
-    fun getOnBehalfOfTokenWithKlageFileApiScope(): String {
-        val clientProperties = clientConfigurationProperties.registration["klage-file-api-onbehalfof"]!!
-        secureLogger.debug("Getting clientProperties for klage-file-api-onbehalfof: {}", clientProperties)
+    fun getAppAccessTokenWithKlageFileApiScope(): String {
+        val clientProperties = clientConfigurationProperties.registration["klage-file-api-maskintilmaskin"]!!
         val response = oAuth2AccessTokenService.getAccessToken(clientProperties)
         return response.accessToken!!
     }
diff --git a/src/main/resources/application.yml b/src/main/resources/application.yml
index 7a6e6a9d..2fa9c6b9 100644
--- a/src/main/resources/application.yml
+++ b/src/main/resources/application.yml
@@ -92,18 +92,14 @@ no.nav.security.jwt:
           client-auth-method: private_key_jwt
         token-exchange:
           audience: ${SAFSELVBETJENING_AUDIENCE}
-      klage-file-api-onbehalfof:
-        token-endpoint-url: ${TOKEN_X_TOKEN_ENDPOINT}
-        grant_type: urn:ietf:params:oauth:grant-type:token-exchange
-        client_assertion_type: urn:ietf:params:oauth:client-assertion-type:jwt-bearer
-        subject_token_type: urn:ietf:params:oauth:token-type:jwt
-        audience: ${KLAGE_FILE_API_AUDIENCE}
+      klage-file-api-maskintilmaskin:
+        token-endpoint-url: https://login.microsoftonline.com/${TENANT_ID}/oauth2/v2.0/token
+        grant-type: client_credentials
+        scope: api://${NAIS_CLUSTER_NAME}.${NAIS_NAMESPACE}.${KLAGE_FILE_API_APP_NAME}/.default
         authentication:
-          client-id: ${TOKEN_X_CLIENT_ID}
-          client-jwk: ${TOKEN_X_PRIVATE_JWK}
+          client-id: ${AZURE_APP_CLIENT_ID}
+          client-jwk: ${AZURE_APP_JWK}
           client-auth-method: private_key_jwt
-        token-exchange:
-          audience: ${KLAGE_FILE_API_AUDIENCE}
       klage-fss-proxy-maskintilmaskin:
         token-endpoint-url: https://login.microsoftonline.com/${TENANT_ID}/oauth2/v2.0/token
         grant-type: client_credentials