Skip to content

Commit

Permalink
Oppgrader spring-boot etc
Browse files Browse the repository at this point in the history 
Kritiske sårbarheter ble oppdaget i flere pakker.
  • Loading branch information
@Oddsor
Oddsor committed Feb 23, 2024
1 parent 46bed99 commit cd57bf0
Show file tree
Hide file tree
Showing 7 changed files with 22 additions and 33 deletions.
22 changes: 5 additions & 17 deletions pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>3.1.0</version>
<version>3.2.2</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>no.nav.arbeidsgiver</groupId>
Expand All @@ -15,8 +15,8 @@
<properties>
<java.version>17</java.version>
<kotlin.version>1.8.10</kotlin.version>
<cucumber.version>6.4.0</cucumber.version>
<token-support.version>3.1.0</token-support.version>
<cucumber.version>7.15.0</cucumber.version>
<token-support.version>3.2.0</token-support.version>
</properties>

<dependencies>
Expand Down Expand Up @@ -91,12 +91,6 @@
<version>${cucumber.version}</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>de.monochromata.cucumber</groupId>
<artifactId>reporting-plugin</artifactId>
<version>4.0.70</version>
<scope>test</scope>
</dependency>
<!-- Database -->
<dependency>
<groupId>org.springframework.boot</groupId>
Expand All @@ -114,6 +108,7 @@
<dependency>
<groupId>org.postgresql</groupId>
<artifactId>postgresql</artifactId>
<version>42.7.2</version>
</dependency>
<!--Tokensupport -->
<dependency>
Expand Down Expand Up @@ -167,7 +162,7 @@
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-contract-stub-runner</artifactId>
<version>2.2.5.RELEASE</version>
<version>4.1.1</version>
</dependency>

<dependency>
Expand All @@ -176,13 +171,6 @@
<version>8.2.0</version>
</dependency>

<dependency>
<groupId>org.awaitility</groupId>
<artifactId>awaitility-kotlin</artifactId>
<version>4.0.3</version>
<scope>test</scope>
</dependency>

<dependency>
<groupId>io.micrometer</groupId>
<artifactId>micrometer-registry-prometheus</artifactId>
Expand Down
2 changes: 1 addition & 1 deletion src/main/kotlin/no/nav/arbeidsgiver/tiltakrefusjon/AuditLoggingFilter.kt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ class AuditLoggingFilter(
try {
val fnr: List<String> = JsonPath.read<List<String>?>(wrapper.contentInputStream, "$..deltakerFnr").distinct()
val utførtTid = Now.instant()
val brukerId = context.tokenValidationContext.getClaims("tokenx")?.getStringClaim("pid") ?: context.tokenValidationContext.getClaims("aad")?.getStringClaim("NAVident")
val brukerId = context.getTokenValidationContext().getClaims("tokenx")?.getStringClaim("pid") ?: context.getTokenValidationContext().getClaims("aad")?.getStringClaim("NAVident")

val uri = URI.create(request.requestURI)
// Logger kun oppslag dersom en innlogget bruker utførte oppslaget
Expand Down
4 changes: 2 additions & 2 deletions src/main/kotlin/no/nav/arbeidsgiver/tiltakrefusjon/SecurityClientConfiguration.kt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,10 +45,10 @@ class SecurityClientConfiguration(
private fun bearerTokenInterceptor(
clientProperties: ClientProperties,
oAuth2AccessTokenService: OAuth2AccessTokenService
): ClientHttpRequestInterceptor? {
): ClientHttpRequestInterceptor {
return ClientHttpRequestInterceptor { request: HttpRequest, body: ByteArray?, execution: ClientHttpRequestExecution ->
val response = oAuth2AccessTokenService.getAccessToken(clientProperties)
request.headers.setBearerAuth(response.accessToken)
request.headers.setBearerAuth(response.accessToken!!)
execution.execute(request, body!!)
}
}
Expand Down
2 changes: 1 addition & 1 deletion src/main/kotlin/no/nav/arbeidsgiver/tiltakrefusjon/autorisering/FakeGraphApiService.kt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ import org.springframework.stereotype.Service
@ConditionalOnProperty("tiltak-refusjon.graph-api.fake")
class FakeGraphApiService(val context: TokenValidationContextHolder) : GraphApiService {
override fun hent(): GraphApiService.GraphApiResponse {
val claims = context.tokenValidationContext.getClaims("aad")
val claims = context.getTokenValidationContext().getClaims("aad")
return GraphApiService.GraphApiResponse(claims.getStringClaim("NAVident"), "Navn Testnavn")
}
}
14 changes: 8 additions & 6 deletions src/main/kotlin/no/nav/arbeidsgiver/tiltakrefusjon/autorisering/InnloggetBrukerService.kt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,15 +30,15 @@ class InnloggetBrukerService(
var logger: Logger = LoggerFactory.getLogger(javaClass)

fun erArbeidsgiver(): Boolean {
return context.tokenValidationContext.hasTokenFor("tokenx")
return context.getTokenValidationContext().hasTokenFor("tokenx")
}

fun erSaksbehandler(): Boolean {
return context.tokenValidationContext.hasTokenFor("aad")
return context.getTokenValidationContext().hasTokenFor("aad")
}

fun erBeslutter(): Boolean {
val groupClaim = context.tokenValidationContext.getClaims("aad").get("groups") as List<String>
val groupClaim = context.getTokenValidationContext().getClaims("aad").get("groups") as List<String>
return erSaksbehandler() && groupClaim.contains(beslutterRolleConfig.id)
}

Expand All @@ -47,11 +47,11 @@ class InnloggetBrukerService(
}

fun navIdent(): String {
return context.tokenValidationContext.getClaims("aad").getStringClaim("NAVident")
return context.getTokenValidationContext().getClaims("aad").getStringClaim("NAVident")
}

fun displayName(): String {
val displayNameClaim = context.tokenValidationContext.getClaims("aad").get("name")
val displayNameClaim = context.getTokenValidationContext().getClaims("aad").get("name")
if (displayNameClaim != null) {
return displayNameClaim as String
}
Expand All @@ -61,9 +61,10 @@ class InnloggetBrukerService(
fun hentInnloggetArbeidsgiver(): InnloggetArbeidsgiver {
return when {
erArbeidsgiver() -> {
val fnr = Fnr(context.tokenValidationContext.getClaims("tokenx").getStringClaim("pid"))
val fnr = Fnr(context.getTokenValidationContext().getClaims("tokenx").getStringClaim("pid"))
InnloggetArbeidsgiver(fnr.verdi, altinnTilgangsstyringService, refusjonRepository, korreksjonRepository, refusjonService, eregClient)
}

else -> {
throw RuntimeException("Feil ved token, kunne ikke identifisere arbeidsgiver")
}
Expand All @@ -86,6 +87,7 @@ class InnloggetBrukerService(
norgeService = norgService
)
}

else -> {
throw RuntimeException("Feil ved token, kunne ikke identifisere saksbehandler")
}
Expand Down
3 changes: 1 addition & 2 deletions src/test/kotlin/no/nav/arbeidsgiver/tiltakrefusjon/RunCucumberTest.kt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,7 @@ import org.springframework.test.context.TestPropertySource

@RunWith(Cucumber::class)
@CucumberOptions(
plugin = ["pretty", "json:target/report.json", "de.monochromata.cucumber.report.PrettyReports:target/pretty-cucumber"],
features = ["src/test/resources/features"]
features = ["src/test/resources/features"]
)
@TestPropertySource(properties = ["cucumber.reporting.config.file=src/test/resources/cucumber-reporting.properties"])
class RunCucumberTest
8 changes: 4 additions & 4 deletions ...test/kotlin/no/nav/arbeidsgiver/tiltakrefusjon/altinn/AltinnTilgangsstyringServiceTest.kt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ class AltinnTilgangsstyringServiceTest {
// GITT
altinnTilgangsstyringProperties.serviceCode = 4936
val fnr = Fnr("10000000007")
every { context.tokenValidationContext.getClaims(any()).getStringClaim("pid") } returns fnr.verdi
every { context.getTokenValidationContext().getClaims(any()).getStringClaim("pid") } returns fnr.verdi

// NÅR
val organisasjoner: Set<Organisasjon> = altinnTilgangsstyringService.hentTilganger(fnr.verdi)
Expand All @@ -43,7 +43,7 @@ class AltinnTilgangsstyringServiceTest {
// GITT
altinnTilgangsstyringProperties.serviceCode = 4936
val fnr = Fnr("21234567890")
every { context.tokenValidationContext.getClaims(any()).getStringClaim("pid") } returns fnr.verdi
every { context.getTokenValidationContext().getClaims(any()).getStringClaim("pid") } returns fnr.verdi

// NÅR
assertFeilkode(Feilkode.ALTINN) {
Expand All @@ -57,7 +57,7 @@ class AltinnTilgangsstyringServiceTest {
altinnTilgangsstyringProperties.serviceCode = 5516
altinnTilgangsstyringService = AltinnTilgangsstyringService(altinnTilgangsstyringProperties, RestTemplate())
val fnr = Fnr("21234567890")
every { context.tokenValidationContext.getClaims(any()).getStringClaim("pid") } returns fnr.verdi
every { context.getTokenValidationContext().getClaims(any()).getStringClaim("pid") } returns fnr.verdi

// NÅR
val organisasjoner: Set<Organisasjon> = altinnTilgangsstyringService.hentTilganger(fnr.verdi)
Expand All @@ -72,7 +72,7 @@ class AltinnTilgangsstyringServiceTest {
altinnTilgangsstyringProperties.serviceCode = 0
altinnTilgangsstyringService = AltinnTilgangsstyringService(altinnTilgangsstyringProperties, RestTemplate())
val fnr = Fnr("21234567890")
every { context.tokenValidationContext.getClaims(any()).getStringClaim("pid") } returns fnr.verdi
every { context.getTokenValidationContext().getClaims(any()).getStringClaim("pid") } returns fnr.verdi

// NÅR
assertFeilkode(Feilkode.ALTINN) {
Expand Down

0 comments on commit cd57bf0

Please sign in to comment.