Bugfix/idporten org tilgang (#3362)

* Frontend endret consumer som var feil
* PersonOrgTilgangService gitt outbound maskinporten-tilgang

apps/dolly-frontend/config.idporten.yml

@@ -83,7 +83,7 @@ spec:
       memory: 1024Mi
     limits:
       memory: 2048Mi
-  image: {{image}}
+  image: "{{image}}"
   envFrom:
     - secret: idporten-dolly-prod
   env:

apps/dolly-frontend/config.test.yml

@@ -91,7 +91,7 @@ spec:
       memory: 1024Mi
     limits:
       memory: 2048Mi
-  image: {{image}}
+  image: "{{image}}"
   env:
     - name: SPRING_PROFILES_ACTIVE
       value: dev

apps/dolly-frontend/config.unstable.yml

@@ -92,7 +92,7 @@ spec:
       memory: 1024Mi
     limits:
       memory: 2048Mi
-  image: {{image}}
+  image: "{{image}}"
   env:
     - name: SPRING_PROFILES_ACTIVE
       value: dev

apps/dolly-frontend/config.yml

@@ -91,7 +91,7 @@ spec:
       memory: 1024Mi
     limits:
       memory: 2048Mi
-  image: {{image}}
+  image: "{{image}}"
   envFrom:
     - secret: idporten-dolly-prod
   env:

apps/dolly-frontend/src/main/java/no/nav/dolly/web/consumers/PersonOrganisasjonTilgangConsumer.java

@@ -30,7 +30,7 @@ public PersonOrganisasjonTilgangConsumer(
             ObjectMapper objectMapper) {
 
         this.accessService = accessService;
-        serverProperties = consumers.getTestnavOrganisasjonTilgangService();
+        serverProperties = consumers.getTestnavPersonOrganisasjonTilgangService();
         ExchangeStrategies jacksonStrategy = ExchangeStrategies.builder()
                 .codecs(config -> {
                     config.defaultCodecs()

apps/dolly-frontend/src/main/java/no/nav/dolly/web/consumers/command/GetPersonOrganisasjonTilgangCommand.java

@@ -1,6 +1,7 @@
 package no.nav.dolly.web.consumers.command;
 
 import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
 import no.nav.dolly.web.consumers.dto.OrganisasjonDTO;
 import no.nav.testnav.libs.reactivecore.utils.WebClientFilter;
 import org.springframework.http.HttpHeaders;
@@ -11,7 +12,7 @@
 import java.time.Duration;
 import java.util.concurrent.Callable;
 
-
+@Slf4j
 @RequiredArgsConstructor
 public class GetPersonOrganisasjonTilgangCommand implements Callable<Mono<OrganisasjonDTO>> {
     private final WebClient webClient;
@@ -26,6 +27,10 @@ public Mono<OrganisasjonDTO> call() {
                 .header(HttpHeaders.AUTHORIZATION, "Bearer " + token)
                 .retrieve()
                 .bodyToMono(OrganisasjonDTO.class)
+                .doOnError(error -> log.error("Feilet å hente organisasjon, status: {}, feilmelding: ",
+                        WebClientFilter.getMessage(error),
+                        WebClientFilter.getMessage(error),
+                        error))
                 .retryWhen(Retry.backoff(3, Duration.ofSeconds(5))
                         .filter(WebClientFilter::is5xxException));
     }

apps/dolly-frontend/src/main/resources/application-dev.yml

@@ -13,10 +13,6 @@ consumers:
   testnorge-profil-api:
     name: testnorge-profil-api-dev
     url: http://testnorge-profil-api-dev.dolly.svc.cluster.local
-  testnav-organisasjon-tilgang-service:
-    name: testnav-organisasjon-tilgang-service
-    url: http://testnav-organisasjon-tilgang-service.dolly.svc.cluster.local
-    cluster: dev-gcp
   testnav-varslinger-service:
     name: testnav-varslinger-service-dev
     url: http://testnav-varslinger-service-dev.dolly.svc.cluster.local

apps/person-organisasjon-tilgang-service/build.gradle

@@ -72,8 +72,7 @@ dependencies {
     implementation 'org.springframework.boot:spring-boot-starter-webflux'
     implementation 'org.springframework.boot:spring-boot-starter-oauth2-resource-server'
 
-
-    implementation 'org.springframework.boot:spring-boot-starter-actuator'
+    implementation 'org.springframework.cloud:spring-cloud-starter-vault-config'
 
     implementation 'io.micrometer:micrometer-registry-prometheus'
 

apps/person-organisasjon-tilgang-service/config.test.yml

@@ -6,7 +6,7 @@ metadata:
   labels:
     team: dolly
 spec:
-  image: {{ image }}
+  image: "{{ image }}"
   port: 8080
   azure:
     application:
@@ -24,24 +24,15 @@ spec:
     inbound:
       rules:
         - application: dolly-frontend-dev
-          cluster: dev-gcp
         - application: dolly-idporten
-          cluster: dev-gcp
         - application: dolly-frontend-dev-unstable
-          cluster: dev-gcp
         - application: team-dolly-lokal-app
-          cluster: dev-gcp
         - application: testnav-oversikt-frontend
-          cluster: dev-gcp
         - application: testnav-bruker-service-dev
-          cluster: dev-gcp
         - application: testnorge-profil-api-dev
-          cluster: dev-gcp
+        - application: testnorge-profil-api-dev
         - application: app-1
-          cluster: dev-gcp
           namespace: plattformsikkerhet
-        - application: testnorge-profil-api-dev
-          cluster: dev-gcp
     outbound:
       external:
         - host: tt02.altinn.no

apps/person-organisasjon-tilgang-service/config.yml

@@ -6,7 +6,7 @@ metadata:
   labels:
     team: dolly
 spec:
-  image: {{image}}
+  image: "{{image}}"
   port: 8080
   azure:
     application:
@@ -19,18 +19,17 @@ spec:
     inbound:
       rules:
         - application: dolly-frontend
-          cluster: dev-gcp
         - application: dolly-idporten
-          cluster: dev-gcp
-        - application: dolly-frontend-dev-unstable
-          cluster: dev-gcp
         - application: testnav-bruker-service
-          cluster: dev-gcp
         - application: testnorge-profil-api
-          cluster: dev-gcp
+        - application: team-dolly-lokal-app
+        - application: testnorge-profil-api
+        - application: app-1
+          namespace: plattformsikkerhet
     outbound:
       external:
         - host: altinn.no
+        - host: maskinporten.no
   liveness:
     path: /internal/isAlive
     initialDelay: 4

apps/person-organisasjon-tilgang-service/src/main/java/no/nav/testnav/apps/persontilgangservice/client/altinn/v1/command/GetPersonAccessCommand.java

@@ -1,14 +1,19 @@
 package no.nav.testnav.apps.persontilgangservice.client.altinn.v1.command;
 
 import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+import no.nav.testnav.apps.persontilgangservice.client.altinn.v1.dto.AccessDTO;
+import no.nav.testnav.libs.reactivecore.utils.WebClientFilter;
 import org.springframework.http.HttpHeaders;
 import org.springframework.web.reactive.function.client.WebClient;
 import reactor.core.publisher.Mono;
+import reactor.util.retry.Retry;
 
+import java.time.Duration;
+import java.util.Arrays;
 import java.util.concurrent.Callable;
 
-import no.nav.testnav.apps.persontilgangservice.client.altinn.v1.dto.AccessDTO;
-
+@Slf4j
 @RequiredArgsConstructor
 public class GetPersonAccessCommand implements Callable<Mono<AccessDTO[]>> {
     private final WebClient webClient;
@@ -31,6 +36,13 @@ public Mono<AccessDTO[]> call() {
                 .header(HttpHeaders.AUTHORIZATION, "Bearer " + token)
                 .header("ApiKey", apiKey)
                 .retrieve()
-                .bodyToMono(AccessDTO[].class);
+                .bodyToMono(AccessDTO[].class)
+                .doOnNext(response -> Arrays.stream(response)
+                        .forEach(entry ->
+                                log.info("Hentet organisasjon fra Altinn: navn: {}, type: {}, orgnr: {}, orgform: {}, status: {} ",
+                                        entry.name(), entry.type(), entry.organizationNumber(), entry.organizationForm(), entry.status())))
+                .doOnError(error -> log.error("Henting av \"/reportees\" feilet: {}", WebClientFilter.getMessage(error), error))
+                .retryWhen(Retry.backoff(3, Duration.ofSeconds(5))
+                        .filter(WebClientFilter::is5xxException));
     }
 }

apps/person-organisasjon-tilgang-service/src/main/java/no/nav/testnav/apps/persontilgangservice/config/LocalVaultConfig.java

@@ -0,0 +1,36 @@
+package no.nav.testnav.apps.persontilgangservice.config;
+
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Profile;
+import org.springframework.vault.annotation.VaultPropertySource;
+import org.springframework.vault.authentication.ClientAuthentication;
+import org.springframework.vault.authentication.TokenAuthentication;
+import org.springframework.vault.client.VaultEndpoint;
+import org.springframework.vault.config.AbstractVaultConfiguration;
+
+import static io.micrometer.common.util.StringUtils.isBlank;
+
+@Configuration
+@Profile("local")
+@VaultPropertySource(value = "secret/dolly/lokal", ignoreSecretNotFound = false)
+public class LocalVaultConfig extends AbstractVaultConfiguration {
+
+    private static final String VAULT_TOKEN = "spring.cloud.vault.token";
+
+    @Override
+    public VaultEndpoint vaultEndpoint() {
+        return VaultEndpoint.create("vault.adeo.no", 443);
+    }
+
+    @Override
+    public ClientAuthentication clientAuthentication() {
+        if (System.getenv().containsKey("VAULT_TOKEN")) {
+            System.setProperty(VAULT_TOKEN, System.getenv("VAULT_TOKEN"));
+        }
+        var token = System.getProperty(VAULT_TOKEN);
+        if (isBlank(token)) {
+            throw new IllegalArgumentException("Påkrevet property 'spring.cloud.vault.token' er ikke satt.");
+        }
+        return new TokenAuthentication(System.getProperty(VAULT_TOKEN));
+    }
+}

apps/person-organisasjon-tilgang-service/src/main/java/no/nav/testnav/apps/persontilgangservice/controller/PersonOrganisasjonController.java

@@ -1,6 +1,9 @@
 package no.nav.testnav.apps.persontilgangservice.controller;
 
 import lombok.RequiredArgsConstructor;
+import no.nav.testnav.apps.persontilgangservice.controller.dto.OrganisasjonDTO;
+import no.nav.testnav.apps.persontilgangservice.domain.Access;
+import no.nav.testnav.apps.persontilgangservice.service.PersonOrganisasjonService;
 import org.springframework.http.ResponseEntity;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
@@ -9,10 +12,6 @@
 import reactor.core.publisher.Flux;
 import reactor.core.publisher.Mono;
 
-import no.nav.testnav.apps.persontilgangservice.controller.dto.OrganisasjonDTO;
-import no.nav.testnav.apps.persontilgangservice.domain.Access;
-import no.nav.testnav.apps.persontilgangservice.service.PersonOrganisasjonService;
-
 @RestController
 @RequestMapping("/api/v1/person/organisasjoner")
 @RequiredArgsConstructor

apps/person-organisasjon-tilgang-service/src/main/resources/application-local.yml

@@ -1,2 +1,10 @@
 ACCEPTED_AUDIENCE: dev-gcp:dolly:testnav-person-tilgang-service-dev
-ALTINN_URL: https://tt02.altinn.no
+ALTINN_URL: https://tt02.altinn.no
+
+TOKENDINGS_URL: dummy
+ALTINN_API_KEY: dummy
+
+MASKINPORTEN_CLIENT_ID: dummy
+MASKINPORTEN_CLIENT_JWK: dummy
+MASKINPORTEN_SCOPES: dummy
+MASKINPORTEN_WELL_KNOWN_URL: dummy

apps/person-organisasjon-tilgang-service/src/main/resources/application.yml

@@ -1,3 +1,4 @@
+
 spring:
   application:
     version: application.version.todo
@@ -13,6 +14,9 @@ spring:
   jackson:
     serialization:
       write_dates_as_timestamps: false
+  cloud:
+    vault:
+      enabled: false
 
 springdoc:
   swagger-ui: