From 2cfed71c9873a6267a772147b05db732e2f0ac89 Mon Sep 17 00:00:00 2001 From: Kenneth Leine Schulstad Date: Wed, 30 Oct 2024 13:40:01 +0100 Subject: [PATCH] Update guardian urls (#19) * Use guardian.intern.ssb.no (PROD) and guardian.intern.test.ssb.no (TEST) * Add debug log info --- .../client/DefaultKeycloakTokenResolver.java | 9 ++++-- .../DefaultMaskinportenTokenResolver.java | 10 ++++-- .../ssb/guardian/client/GuardianClient.java | 3 +- .../guardian/client/GuardianClientConfig.java | 31 +++++++++++++++++-- .../client/GuardianClientConfigTest.java | 29 ++++++++++++++++- 5 files changed, 72 insertions(+), 10 deletions(-) diff --git a/src/main/java/no/ssb/guardian/client/DefaultKeycloakTokenResolver.java b/src/main/java/no/ssb/guardian/client/DefaultKeycloakTokenResolver.java index b7d6f11..d40988d 100644 --- a/src/main/java/no/ssb/guardian/client/DefaultKeycloakTokenResolver.java +++ b/src/main/java/no/ssb/guardian/client/DefaultKeycloakTokenResolver.java @@ -4,6 +4,7 @@ import lombok.extern.slf4j.Slf4j; import java.io.IOException; +import java.net.URI; import java.net.URLEncoder; import java.net.http.HttpClient; import java.net.http.HttpRequest; @@ -30,8 +31,9 @@ public AccessTokenWrapper getKeycloakAccessToken() { String keycloakClientId = "maskinporten-" + config.getMaskinportenClientId(); log.debug(VERBOSE, "Get keycloak access token for client ID " + keycloakClientId); String params = "grant_type=" + URLEncoder.encode("client_credentials", StandardCharsets.UTF_8); + URI url = config.getKeycloakUrl().resolve(config.getKeycloakTokenEndpoint()); HttpRequest request = HttpRequest.newBuilder() - .uri(config.getKeycloakUrl().resolve(config.getKeycloakTokenEndpoint())) + .uri(url) .header("User-Agent", GuardianClient.userAgent()) .header( "Content-Type", "application/x-www-form-urlencoded") .header("Authorization", "Basic " + base64EncodedCredentials(keycloakClientId, config.getKeycloakClientSecret())) @@ -47,14 +49,15 @@ public AccessTokenWrapper getKeycloakAccessToken() { Thread.currentThread().interrupt(); } throw new GuardianClientException(String.format( - "Error fetching keycloak token for %s", keycloakClientId + "Error fetching keycloak token from %s for %s", url, keycloakClientId ), e); } if (response.statusCode() != 200) { throw new GuardianClientException(String.format( - "Error (%s) fetching keycloak token for %s: %s", + "Error (%s) fetching keycloak token from %s for %s: %s", response.statusCode(), + url, keycloakClientId, response.body() )); diff --git a/src/main/java/no/ssb/guardian/client/DefaultMaskinportenTokenResolver.java b/src/main/java/no/ssb/guardian/client/DefaultMaskinportenTokenResolver.java index b4aca79..e0cf51a 100644 --- a/src/main/java/no/ssb/guardian/client/DefaultMaskinportenTokenResolver.java +++ b/src/main/java/no/ssb/guardian/client/DefaultMaskinportenTokenResolver.java @@ -7,6 +7,7 @@ import lombok.extern.slf4j.Slf4j; import java.io.IOException; +import java.net.URI; import java.net.http.HttpClient; import java.net.http.HttpRequest; import java.net.http.HttpResponse; @@ -32,8 +33,9 @@ public AccessTokenWrapper getMaskinportenAccessToken(@NonNull String keycloakTok log.debug(VERBOSE, "getMaskinportenAccessToken (user type: {})", isServiceUser ? "service" : "personal"); String requestBody = Util.toJson(getAccessTokenRequestBody(isServiceUser(keycloakToken), scopes)); + URI url = config.getGuardianUrl().resolve("/maskinporten/access-token"); HttpRequest request = HttpRequest.newBuilder() - .uri(config.getGuardianUrl().resolve("/maskinporten/access-token")) + .uri(url) .header("User-Agent", GuardianClient.userAgent()) .header("Content-Type", "application/json") .header("Authorization", "Bearer " + keycloakToken) @@ -52,15 +54,17 @@ public AccessTokenWrapper getMaskinportenAccessToken(@NonNull String keycloakTok log.trace("keycloakToken", keycloakToken); log.trace("requestBody", requestBody); throw new GuardianClientException(String.format( - "Error fetching maskinporten access token for client id %s", + "Error fetching maskinporten access token from %s for client id %s", + url, config.getMaskinportenClientId() ), e); } if (response.statusCode() != 200) { throw new GuardianClientException(String.format( - "Error (%s) fetching maskinporten access token for client id %s: %s", + "Error (%s) fetching maskinporten access token from %s for client id %s: %s", response.statusCode(), + url, config.getMaskinportenClientId(), response.body() )); diff --git a/src/main/java/no/ssb/guardian/client/GuardianClient.java b/src/main/java/no/ssb/guardian/client/GuardianClient.java index 0ed82cc..a2b35f1 100644 --- a/src/main/java/no/ssb/guardian/client/GuardianClient.java +++ b/src/main/java/no/ssb/guardian/client/GuardianClient.java @@ -38,7 +38,7 @@ public GuardianClient(GuardianClientConfig config) { @NonNull MaskinportenTokenResolver maskinportenTokenResolver) { this.config = config; this.keycloakTokenResolver = keycloakTokenResolver; - this.maskinportenTokenResolver =maskinportenTokenResolver; + this.maskinportenTokenResolver = maskinportenTokenResolver; this.cache = Caffeine.newBuilder() .expireAfter(new Expiry() { @Override @@ -55,6 +55,7 @@ public long expireAfterRead(String key, AccessTokenWrapper token, long currentTi } }) .build(); + log.debug("GuardianClient initialized with config: {}", config.toDebugString()); } /** diff --git a/src/main/java/no/ssb/guardian/client/GuardianClientConfig.java b/src/main/java/no/ssb/guardian/client/GuardianClientConfig.java index 506c200..4ce6540 100644 --- a/src/main/java/no/ssb/guardian/client/GuardianClientConfig.java +++ b/src/main/java/no/ssb/guardian/client/GuardianClientConfig.java @@ -54,10 +54,10 @@ public URI getGuardianUrl() { return URI.create("http://maskinporten-guardian.dapla.svc.cluster.local"); } else if (environment == PROD) { - return URI.create("https://guardian.dapla.ssb.no"); + return URI.create("https://guardian.intern.ssb.no"); } else if (environment == TEST) { - return URI.create("https://guardian.dapla-staging.ssb.no"); + return URI.create("https://guardian.intern.test.ssb.no"); } else if (environment == PROD_BIP) { return URI.create("https://guardian.dapla.ssb.no"); @@ -206,4 +206,31 @@ public enum Environment { PROD, TEST, LOCAL, PROD_BIP, STAGING_BIP } + public String toDebugString() { + return String.format(""" + { + maskinportenClientId = '%s', + environment = %s, + internalAccess = %b, + guardianUrl = %s, + keycloakUrl = %s, + keycloakTokenEndpoint = '%s', + keycloakClientId = '%s', + shortenedTokenExpirationInSeconds = %d, + keycloakClientSecret = '%s', + staticKeycloakToken = '%s' + } + """, + maskinportenClientId, + environment, + internalAccess, + getGuardianUrl(), + getKeycloakUrl(), + getKeycloakTokenEndpoint(), + getKeycloakClientId(), + shortenedTokenExpirationInSeconds, + keycloakClientSecret != null ? "****" : "null", + staticKeycloakToken != null ? "****" : "null" + ); + } } diff --git a/src/test/java/no/ssb/guardian/client/GuardianClientConfigTest.java b/src/test/java/no/ssb/guardian/client/GuardianClientConfigTest.java index 15c3edb..2de5e1c 100644 --- a/src/test/java/no/ssb/guardian/client/GuardianClientConfigTest.java +++ b/src/test/java/no/ssb/guardian/client/GuardianClientConfigTest.java @@ -17,7 +17,7 @@ void deduceGuardianUrl_test_shouldUseExternalUrl() { .environment(GuardianClientConfig.Environment.TEST) .build(); - assertThat(config.getGuardianUrl()).hasToString("https://guardian.dapla-staging.ssb.no"); + assertThat(config.getGuardianUrl()).hasToString("https://guardian.intern.test.ssb.no"); } @Test @@ -87,6 +87,19 @@ void deduceKeycloakUrl_bipProdWithCustomEndpoint_shouldUseCustomEndpoint() { assertThat(config.getKeycloakTokenEndpoint()).isEqualTo ("/foo/bar"); } + @Test + void deduceKeycloakUrl_naisProdWithCustomEndpoint_shouldUseCustomEndpoint() { + GuardianClientConfig config = GuardianClientConfig.builder() + .maskinportenClientId(DUMMY_MASKINPORTEN_CLIENT_ID) + .environment(GuardianClientConfig.Environment.PROD) + .keycloakTokenEndpoint("/foo/bar") + .build(); + + assertThat(config.getKeycloakUrl()).hasToString("https://auth.ssb.no"); + assertThat(config.getKeycloakTokenEndpoint()).isEqualTo ("/foo/bar"); + } + + @Test void guardianUrl_shouldThrowExceptionForMissingEnvironment() { GuardianClientConfig config = GuardianClientConfig.builder() @@ -164,4 +177,18 @@ void getGuardianUrl_stagingBip_returnsCorrectUrl() { .build(); assertThat(config.getGuardianUrl()).hasToString("https://guardian.dapla-staging.ssb.no"); } + + @Test + void toDebugString_shouldReturnMaskedSecrets() { + GuardianClientConfig config = GuardianClientConfig.builder() + .maskinportenClientId(DUMMY_MASKINPORTEN_CLIENT_ID) + .keycloakClientSecret("my-secret".toCharArray()) + .staticKeycloakToken("my-token") + .environment(GuardianClientConfig.Environment.TEST) + .build(); + System.out.println(config.toDebugString()); + + assertThat(config.toDebugString()).contains("keycloakClientSecret = '****'"); + assertThat(config.toDebugString()).contains("staticKeycloakToken = '****'"); + } } \ No newline at end of file