Update guardian urls (#19)

* Use guardian.intern.ssb.no (PROD) and guardian.intern.test.ssb.no (TEST) * Add debug log info
statisticsnorway · Oct 30, 2024 · 2cfed71 · 2cfed71
1 parent 0686948
commit 2cfed71
Show file tree

Hide file tree

Showing 5 changed files with 72 additions and 10 deletions.
diff --git a/src/main/java/no/ssb/guardian/client/DefaultKeycloakTokenResolver.java b/src/main/java/no/ssb/guardian/client/DefaultKeycloakTokenResolver.java
@@ -4,6 +4,7 @@
 import lombok.extern.slf4j.Slf4j;
 
 import java.io.IOException;
+import java.net.URI;
 import java.net.URLEncoder;
 import java.net.http.HttpClient;
 import java.net.http.HttpRequest;
@@ -30,8 +31,9 @@ public AccessTokenWrapper getKeycloakAccessToken() {
         String keycloakClientId = "maskinporten-" + config.getMaskinportenClientId();
         log.debug(VERBOSE, "Get keycloak access token for client ID " + keycloakClientId);
         String params = "grant_type=" + URLEncoder.encode("client_credentials", StandardCharsets.UTF_8);
+        URI url = config.getKeycloakUrl().resolve(config.getKeycloakTokenEndpoint());
         HttpRequest request = HttpRequest.newBuilder()
-                .uri(config.getKeycloakUrl().resolve(config.getKeycloakTokenEndpoint()))
+                .uri(url)
                 .header("User-Agent", GuardianClient.userAgent())
                 .header( "Content-Type", "application/x-www-form-urlencoded")
                 .header("Authorization", "Basic " + base64EncodedCredentials(keycloakClientId, config.getKeycloakClientSecret()))
@@ -47,14 +49,15 @@ public AccessTokenWrapper getKeycloakAccessToken() {
                 Thread.currentThread().interrupt();
             }
             throw new GuardianClientException(String.format(
-                    "Error fetching keycloak token for %s", keycloakClientId
+                    "Error fetching keycloak token from %s for %s", url, keycloakClientId
             ), e);
         }
 
         if (response.statusCode() != 200) {
             throw new GuardianClientException(String.format(
-                    "Error (%s) fetching keycloak token for %s: %s",
+                    "Error (%s) fetching keycloak token from %s for %s: %s",
                     response.statusCode(),
+                    url,
                     keycloakClientId,
                     response.body()
             ));

diff --git a/src/main/java/no/ssb/guardian/client/DefaultMaskinportenTokenResolver.java b/src/main/java/no/ssb/guardian/client/DefaultMaskinportenTokenResolver.java
@@ -7,6 +7,7 @@
 import lombok.extern.slf4j.Slf4j;
 
 import java.io.IOException;
+import java.net.URI;
 import java.net.http.HttpClient;
 import java.net.http.HttpRequest;
 import java.net.http.HttpResponse;
@@ -32,8 +33,9 @@ public AccessTokenWrapper getMaskinportenAccessToken(@NonNull String keycloakTok
         log.debug(VERBOSE, "getMaskinportenAccessToken (user type: {})", isServiceUser ? "service" : "personal");
 
         String requestBody = Util.toJson(getAccessTokenRequestBody(isServiceUser(keycloakToken), scopes));
+        URI url = config.getGuardianUrl().resolve("/maskinporten/access-token");
         HttpRequest request = HttpRequest.newBuilder()
-                .uri(config.getGuardianUrl().resolve("/maskinporten/access-token"))
+                .uri(url)
                 .header("User-Agent", GuardianClient.userAgent())
                 .header("Content-Type", "application/json")
                 .header("Authorization", "Bearer " + keycloakToken)
@@ -52,15 +54,17 @@ public AccessTokenWrapper getMaskinportenAccessToken(@NonNull String keycloakTok
             log.trace("keycloakToken", keycloakToken);
             log.trace("requestBody", requestBody);
             throw new GuardianClientException(String.format(
-                    "Error fetching maskinporten access token for client id %s",
+                    "Error fetching maskinporten access token from %s for client id %s",
+                    url,
                     config.getMaskinportenClientId()
             ), e);
         }
 
         if (response.statusCode() != 200) {
             throw new GuardianClientException(String.format(
-                    "Error (%s) fetching maskinporten access token for client id %s: %s",
+                    "Error (%s) fetching maskinporten access token from %s for client id %s: %s",
                     response.statusCode(),
+                    url,
                     config.getMaskinportenClientId(),
                     response.body()
             ));

diff --git a/src/main/java/no/ssb/guardian/client/GuardianClient.java b/src/main/java/no/ssb/guardian/client/GuardianClient.java
@@ -38,7 +38,7 @@ public GuardianClient(GuardianClientConfig config) {
                    @NonNull MaskinportenTokenResolver maskinportenTokenResolver) {
         this.config = config;
         this.keycloakTokenResolver = keycloakTokenResolver;
-        this.maskinportenTokenResolver =maskinportenTokenResolver;
+        this.maskinportenTokenResolver = maskinportenTokenResolver;
         this.cache = Caffeine.newBuilder()
                 .expireAfter(new Expiry<String, AccessTokenWrapper>() {
                     @Override
@@ -55,6 +55,7 @@ public long expireAfterRead(String key, AccessTokenWrapper token, long currentTi
                     }
                 })
                 .build();
+        log.debug("GuardianClient initialized with config: {}", config.toDebugString());
     }
 
     /**

diff --git a/src/main/java/no/ssb/guardian/client/GuardianClientConfig.java b/src/main/java/no/ssb/guardian/client/GuardianClientConfig.java
@@ -54,10 +54,10 @@ public URI getGuardianUrl() {
             return URI.create("http://maskinporten-guardian.dapla.svc.cluster.local");
         }
         else if (environment == PROD) {
-            return URI.create("https://guardian.dapla.ssb.no");
+            return URI.create("https://guardian.intern.ssb.no");
         }
         else if (environment == TEST) {
-            return URI.create("https://guardian.dapla-staging.ssb.no");
+            return URI.create("https://guardian.intern.test.ssb.no");
         }
         else if (environment == PROD_BIP) {
             return URI.create("https://guardian.dapla.ssb.no");
@@ -206,4 +206,31 @@ public enum Environment {
         PROD, TEST, LOCAL, PROD_BIP, STAGING_BIP
     }
 
+    public String toDebugString() {
+        return String.format("""
+            {
+              maskinportenClientId = '%s',
+              environment = %s,
+              internalAccess = %b,
+              guardianUrl = %s,
+              keycloakUrl = %s,
+              keycloakTokenEndpoint = '%s',
+              keycloakClientId = '%s',
+              shortenedTokenExpirationInSeconds = %d,
+              keycloakClientSecret = '%s',
+              staticKeycloakToken = '%s'
+            }
+            """,
+                maskinportenClientId,
+                environment,
+                internalAccess,
+                getGuardianUrl(),
+                getKeycloakUrl(),
+                getKeycloakTokenEndpoint(),
+                getKeycloakClientId(),
+                shortenedTokenExpirationInSeconds,
+                keycloakClientSecret != null ? "****" : "null",
+                staticKeycloakToken != null ? "****" : "null"
+        );
+    }
 }
diff --git a/src/test/java/no/ssb/guardian/client/GuardianClientConfigTest.java b/src/test/java/no/ssb/guardian/client/GuardianClientConfigTest.java
@@ -17,7 +17,7 @@ void deduceGuardianUrl_test_shouldUseExternalUrl() {
                 .environment(GuardianClientConfig.Environment.TEST)
                 .build();
 
-        assertThat(config.getGuardianUrl()).hasToString("https://guardian.dapla-staging.ssb.no");
+        assertThat(config.getGuardianUrl()).hasToString("https://guardian.intern.test.ssb.no");
     }
 
     @Test
@@ -87,6 +87,19 @@ void deduceKeycloakUrl_bipProdWithCustomEndpoint_shouldUseCustomEndpoint() {
         assertThat(config.getKeycloakTokenEndpoint()).isEqualTo ("/foo/bar");
     }
 
+    @Test
+    void deduceKeycloakUrl_naisProdWithCustomEndpoint_shouldUseCustomEndpoint() {
+        GuardianClientConfig config = GuardianClientConfig.builder()
+                .maskinportenClientId(DUMMY_MASKINPORTEN_CLIENT_ID)
+                .environment(GuardianClientConfig.Environment.PROD)
+                .keycloakTokenEndpoint("/foo/bar")
+                .build();
+
+        assertThat(config.getKeycloakUrl()).hasToString("https://auth.ssb.no");
+        assertThat(config.getKeycloakTokenEndpoint()).isEqualTo ("/foo/bar");
+    }
+
+
     @Test
     void guardianUrl_shouldThrowExceptionForMissingEnvironment() {
         GuardianClientConfig config = GuardianClientConfig.builder()
@@ -164,4 +177,18 @@ void getGuardianUrl_stagingBip_returnsCorrectUrl() {
                 .build();
         assertThat(config.getGuardianUrl()).hasToString("https://guardian.dapla-staging.ssb.no");
     }
+
+    @Test
+    void toDebugString_shouldReturnMaskedSecrets() {
+        GuardianClientConfig config = GuardianClientConfig.builder()
+                .maskinportenClientId(DUMMY_MASKINPORTEN_CLIENT_ID)
+                .keycloakClientSecret("my-secret".toCharArray())
+                .staticKeycloakToken("my-token")
+                .environment(GuardianClientConfig.Environment.TEST)
+                .build();
+        System.out.println(config.toDebugString());
+
+        assertThat(config.toDebugString()).contains("keycloakClientSecret = '****'");
+        assertThat(config.toDebugString()).contains("staticKeycloakToken = '****'");
+    }
 }