Endre tilgang på statistikk-endepunkt (#100)

* Endre tilgang på statistikk-endepunkt * Kommentar på hvilke id'er som tilhører hvilken AD-gruppe
navikt · Jul 5, 2024 · 875ec16 · 875ec16
1 parent 50c0f3a
commit 875ec16
Show file tree

Hide file tree

Showing 5 changed files with 87 additions and 5 deletions.
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -33,7 +33,7 @@ jobs:
     #########################
     ### DEVELOPERS: Insert your feature branch name below (in addition to master) if you want to deploy it to dev
     #########################
-    if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/flytte_database'
+    if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/endret_tilgang_på_rest'
     runs-on: ubuntu-latest
     outputs:
       image: ${{ steps.docker-build-push.outputs.image }}

diff --git a/nais/nais-dev.yaml b/nais/nais-dev.yaml
@@ -43,10 +43,15 @@ spec:
   azure:
     application:
       enabled: true
-      allowAllUsers: true
+      allowAllUsers: false
       claims:
         extra:
           - NAVident
+        groups:
+          - id: "67a06857-0028-4a90-bf4c-9c9a92c7d733"   # adGruppeModiaGenerellTilgang
+          - id: "0dba8374-bf36-4d89-bbba-662447d57b94"   # adGruppeJobbsøkerrettet
+          - id: "52bc2af7-38d1-468b-b68d-0f3a4de45af2"   # adGruppeArbeidsgiverrettet
+          - id: "a1749d9a-52e0-4116-bb9f-935c38f6c74a"   # adGruppeUtvikler
   env:
     - name: KAFKA_RAPID_TOPIC
       value: toi.rapid-1

diff --git a/nais/nais-prod.yaml b/nais/nais-prod.yaml
@@ -42,10 +42,15 @@ spec:
   azure:
     application:
       enabled: true
-      allowAllUsers: true
+      allowAllUsers: false
       claims:
         extra:
           - NAVident
+        groups:
+          - id: "ea34edea-1e80-4759-a1d2-fbe696cf1709"   # adGruppeModiaGenerellTilgang
+          - id: "66b70a6a-3d05-47b3-8b5a-47c681dcd1d5"   # adGruppeJobbsøkerrettet
+          - id: "46c8e3b2-0469-4740-983f-d8cd2b6e4fee"   # adGruppeArbeidsgiverrettet
+          - id: "41080368-439f-4128-858a-afbef876431e"   # adGruppeUtvikler
   env:
     - name: KAFKA_RAPID_TOPIC
       value: toi.rapid-1

diff --git a/test/no/nav/statistikkapi/HentStatistikkTest.kt b/test/no/nav/statistikkapi/HentStatistikkTest.kt
@@ -4,12 +4,17 @@ import assertk.assertThat
 import assertk.assertions.isEqualTo
 import assertk.assertions.isLessThan
 import assertk.assertions.isZero
+import com.fasterxml.jackson.databind.SerializationFeature
+import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule
 import io.ktor.client.*
 import io.ktor.client.call.*
 import io.ktor.client.engine.apache.*
+import io.ktor.client.plugins.*
+import io.ktor.client.plugins.contentnegotiation.*
 import io.ktor.client.request.*
 import io.ktor.client.statement.*
 import io.ktor.http.*
+import io.ktor.serialization.jackson.*
 import kotlinx.coroutines.runBlocking
 import no.nav.security.mock.oauth2.MockOAuth2Server
 import no.nav.statistikkapi.db.TestDatabase
@@ -19,6 +24,7 @@ import no.nav.statistikkapi.kandidatutfall.Innsatsgruppe.Companion.erIkkeStandar
 import no.nav.statistikkapi.kandidatutfall.Innsatsgruppe.IKVAL
 import no.nav.statistikkapi.kandidatutfall.KandidatutfallRepository
 import no.nav.statistikkapi.kandidatutfall.Utfall.*
+import org.apache.http.HttpHeaders
 import org.junit.After
 import org.junit.Test
 import java.time.LocalDate
@@ -648,6 +654,71 @@ class HentStatistikkTest {
         }.body()
     }
 
+    @Test
+    fun `Kall med token skal få 200 OK`() {
+        assertThat(hentStatistikkStatus().status).isEqualTo(HttpStatusCode.OK)
+    }
+
+    @Test
+    fun `Kall uten token skal få 401 Unauthorized`() {
+        assertThat(hentStatistikkStatus(token = null).status).isEqualTo(HttpStatusCode.Unauthorized)
+    }
+
+    @Test
+    fun `Kall med utdatert token skal få 401 Unauthorized`() {
+        assertThat(hentStatistikkStatus(token = hentToken(mockOAuth2Server, "azuread", expiry = -60)).status).isEqualTo(HttpStatusCode.Unauthorized)
+    }
+
+    @Test
+    fun `Kall med feil audience skal få 401 Unauthorized`() {
+        assertThat(hentStatistikkStatus(token = hentToken(mockOAuth2Server, "azuread", audience = "feilaudience")).status).isEqualTo(HttpStatusCode.Unauthorized)
+    }
+
+    @Test
+    fun `Kall med feil algoritme skal få 401 Unauthorized`() {
+        val token = hentToken(mockOAuth2Server, "azuread").split(".")
+        val falskToken = "eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.${token[1]}."
+        assertThat(hentStatistikkStatus(token = falskToken).status).isEqualTo(HttpStatusCode.Unauthorized)
+    }
+
+    @Test
+    fun `Kall med feil issuer skal få 401 Unauthorized`() {
+        val feilOauthserver = MockOAuth2Server()
+        try {
+            feilOauthserver.start(port = randomPort())
+            assertThat(hentStatistikkStatus(token = hentToken(feilOauthserver, "azuread")).status).isEqualTo(HttpStatusCode.Unauthorized)
+        } finally {
+            feilOauthserver.shutdown()
+        }
+    }
+
+
+    private fun hentStatistikkStatus(
+        fraOgMed: LocalDate = LocalDate.of(2020, 10, 1),
+        tilOgMed: LocalDate = LocalDate.of(2020, 10, 31),
+        navKontor: String = etKandidatutfall.navKontor,
+        token: String? = hentToken(mockOAuth2Server, "azuread")
+    ) = runBlocking {
+        httpKlient().get("${basePath}/statistikk") {
+            token?.let {
+                header(HttpHeaders.AUTHORIZATION, "Bearer $it")
+            }
+            leggTilQueryParametere(this, fraOgMed, tilOgMed, navKontor)
+        }
+    }
+
+    fun httpKlient() = HttpClient(Apache) {
+        install(ContentNegotiation) {
+            jackson {
+                registerModule(JavaTimeModule())
+                disable(SerializationFeature.WRITE_DATES_AS_TIMESTAMPS)
+            }
+        }
+        defaultRequest {
+            contentType(ContentType.Application.Json)
+        }
+    }
+
     @After
     fun cleanUp() {
         testRepository.slettAlleUtfall()

diff --git a/test/no/nav/statistikkapi/TestUtils.kt b/test/no/nav/statistikkapi/TestUtils.kt
@@ -14,13 +14,14 @@ import no.nav.security.mock.oauth2.MockOAuth2Server
 import no.nav.security.mock.oauth2.token.DefaultOAuth2TokenCallback
 import kotlin.random.Random
 
-fun hentToken(mockOAuth2Server: MockOAuth2Server, issuerId: String): String = mockOAuth2Server.issueToken(issuerId, "klient",
+fun hentToken(mockOAuth2Server: MockOAuth2Server, issuerId: String, expiry: Long = 3600, audience: String = "statistikk-api"): String = mockOAuth2Server.issueToken(issuerId, "klient",
     DefaultOAuth2TokenCallback(
         issuerId = issuerId,
         claims = mapOf(
             Pair("NAVident", enNavIdent),
         ),
-        audience = listOf("statistikk-api")
+        audience = listOf(audience),
+        expiry = expiry
     )
 ).serialize()