From b88921ad95c04d7452fde1357649f95802185047 Mon Sep 17 00:00:00 2001
From: Espen Waaga <36693523+espenwaaga@users.noreply.github.com>
Date: Tue, 28 Mar 2023 09:49:33 +0200
Subject: [PATCH] Fjerner WS client som ikke brukes lenger (#1273)
---
.../nav/vedtak/sts/client/NAVSTSClient.java | 140 ----------------
.../OnBehalfOfWithOidcCallbackHandler.java | 75 ---------
.../nav/vedtak/sts/client/StsClientType.java | 6 -
.../sts/client/StsConfigurationUtil.java | 154 ------------------
.../no/nav/vedtak/sts/client/StsFeil.java | 34 ----
.../src/main/resources/stsPolicy.xml | 43 -----
6 files changed, 452 deletions(-)
delete mode 100644 integrasjon/webservice/src/main/java/no/nav/vedtak/sts/client/NAVSTSClient.java
delete mode 100644 integrasjon/webservice/src/main/java/no/nav/vedtak/sts/client/OnBehalfOfWithOidcCallbackHandler.java
delete mode 100644 integrasjon/webservice/src/main/java/no/nav/vedtak/sts/client/StsClientType.java
delete mode 100644 integrasjon/webservice/src/main/java/no/nav/vedtak/sts/client/StsConfigurationUtil.java
delete mode 100644 integrasjon/webservice/src/main/java/no/nav/vedtak/sts/client/StsFeil.java
delete mode 100644 integrasjon/webservice/src/main/resources/stsPolicy.xml
diff --git a/integrasjon/webservice/src/main/java/no/nav/vedtak/sts/client/NAVSTSClient.java b/integrasjon/webservice/src/main/java/no/nav/vedtak/sts/client/NAVSTSClient.java
deleted file mode 100644
index 1d4954646..000000000
--- a/integrasjon/webservice/src/main/java/no/nav/vedtak/sts/client/NAVSTSClient.java
+++ /dev/null
@@ -1,140 +0,0 @@
-package no.nav.vedtak.sts.client;
-
-import org.apache.cxf.Bus;
-import org.apache.cxf.ws.security.SecurityConstants;
-import org.apache.cxf.ws.security.tokenstore.SecurityToken;
-import org.apache.cxf.ws.security.tokenstore.TokenStore;
-import org.apache.cxf.ws.security.tokenstore.TokenStoreFactory;
-import org.apache.cxf.ws.security.trust.STSClient;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import no.nav.vedtak.sikkerhet.context.SubjectHandler;
-import no.nav.vedtak.sikkerhet.context.containers.SluttBruker;
-import no.nav.vedtak.sikkerhet.kontekst.IdentType;
-import no.nav.vedtak.sikkerhet.kontekst.Systembruker;
-
-public class NAVSTSClient extends STSClient {
-
- private static final Logger LOG = LoggerFactory.getLogger(NAVSTSClient.class);
- public static final String DISABLE_CACHE_KEY = "NAVSTSClient.DISABLE_CACHE";
- private static TokenStore tokenStore;
- private static final SluttBruker systemSluttBruker = new SluttBruker(Systembruker.username(), IdentType.Systemressurs);
-
- private StsClientType type;
-
- public NAVSTSClient(Bus b, StsClientType type) {
- super(b);
- this.type = type;
- }
-
- @Override
- protected boolean useSecondaryParameters() {
- return false;
- }
-
- @Override
- public SecurityToken requestSecurityToken(String appliesTo, String action, String requestType, String binaryExchange) throws Exception {
- final SubjectHandler subjectHandler = SubjectHandler.getSubjectHandler();
- var samlToken = subjectHandler.getSamlToken();
- String userId = subjectHandler.getUid();
-
- if (userId == null) {
- userId = "unauthenticated";
- }
-
- String key;
- SluttBruker principal;
- if (StsClientType.SYSTEM_SAML == type) {
- key = "systemSAML";
- principal = systemSluttBruker;
- } else {
- key = subjectHandler.getInternSsoToken();
- principal = SubjectHandler.getSubjectHandler().getSluttBruker();
- }
-
- if (samlToken != null) {
- SecurityToken token = new SecurityToken(samlToken.getSamlId(), samlToken.getTokenAsElement(), null);
- token.setPrincipal(principal);
- if (LOG.isTraceEnabled()) {
- LOG.trace("Will use SAML-token found in subjectHandler: {}", tokenToString(token));
- }
- return token;
- }
-
- if (Boolean.getBoolean(DISABLE_CACHE_KEY)) {
- LOG.debug("Cache is disabled, fetching from STS for user {}", userId);
- SecurityToken token = super.requestSecurityToken(appliesTo, action, requestType, binaryExchange);
- token.setPrincipal(principal);
- if (LOG.isTraceEnabled()) {
- LOG.trace("Retrived token from STS: {}", tokenToString(token));
- }
- return token;
- }
-
- ensureTokenStoreExists();
-
- if (key == null) {
- throw StsFeil.kanIkkeHenteSamlUtenOidcToken();
- }
- SecurityToken token = tokenStore.getToken(key);
- String keyUtenSignatur = stripJwtSignatur(key);
- if (token == null) {
- LOG.debug("Missing token for user {}, cache key {}, fetching it from STS", userId, keyUtenSignatur); // NOSONAR
- token = super.requestSecurityToken(appliesTo, action, requestType, binaryExchange);
- token.setPrincipal(principal);
- tokenStore.add(key, token);
- } else if (token.isExpired()) {
- LOG.debug("Token for user {}, cache key {} is expired ({}) fetching a new one from STS", userId, keyUtenSignatur,
- token.getExpires()); // NOSONAR
- tokenStore.remove(key);
- token = super.requestSecurityToken(appliesTo, action, requestType, binaryExchange);
- token.setPrincipal(principal);
- tokenStore.add(key, token);
- } else {
- LOG.debug("Retrived token for user {}, cache key {} from tokenStore", userId, keyUtenSignatur); // NOSONAR
- }
- if (LOG.isTraceEnabled()) {
- LOG.trace("Retrived token: {}", tokenToString(token));
- }
- return token;
- }
-
- /**
- * A JWT consists of <base64 encoded header>.<base64 encoded
- * body>.<base64 encoded signature>
- *
- * @return if key is JWT - <base64 encoded header>.<base64 encoded
- * body>
- * else - {@code key}
- */
- private static String stripJwtSignatur(String key) {
- final int lastDot = key.lastIndexOf('.');
- final int end = lastDot == -1 ? key.length() : lastDot;
- return key.substring(0, end);
- }
-
- private static String tokenToString(SecurityToken token) {
- return token.getClass().getSimpleName() + "<" + "id=" + token.getId() + ", " + "wsuId=" + token.getWsuId() + ", " + "principal="
- + token.getPrincipal() + ", " + "created=" + token.getCreated() + ", " + "expires=" + token.getExpires() + ", " + "isExpired="
- + token.isExpired() + ", " + ">";
- }
-
- private void ensureTokenStoreExists() {
- if (tokenStore == null) {
- try {
- createTokenStore();
- } catch (Exception e) {
- // for kompat cxf 3.4
- throw new IllegalStateException("Kan ikke opprette TokenStore", e);
- }
- }
- }
-
- private synchronized void createTokenStore() throws Exception {
- if (tokenStore == null) {
- LOG.debug("Creating tokenStore");
- tokenStore = TokenStoreFactory.newInstance().newTokenStore(SecurityConstants.TOKEN_STORE_CACHE_INSTANCE, message);
- }
- }
-}
diff --git a/integrasjon/webservice/src/main/java/no/nav/vedtak/sts/client/OnBehalfOfWithOidcCallbackHandler.java b/integrasjon/webservice/src/main/java/no/nav/vedtak/sts/client/OnBehalfOfWithOidcCallbackHandler.java
deleted file mode 100644
index 51038a9a0..000000000
--- a/integrasjon/webservice/src/main/java/no/nav/vedtak/sts/client/OnBehalfOfWithOidcCallbackHandler.java
+++ /dev/null
@@ -1,75 +0,0 @@
-package no.nav.vedtak.sts.client;
-
-import java.io.IOException;
-import java.io.StringReader;
-import java.nio.charset.StandardCharsets;
-import java.util.Base64;
-
-import javax.security.auth.callback.Callback;
-import javax.security.auth.callback.CallbackHandler;
-import javax.security.auth.callback.UnsupportedCallbackException;
-import javax.xml.XMLConstants;
-import javax.xml.parsers.DocumentBuilderFactory;
-import javax.xml.parsers.ParserConfigurationException;
-
-import org.apache.cxf.ws.security.trust.delegation.DelegationCallback;
-import org.w3c.dom.Element;
-import org.xml.sax.InputSource;
-import org.xml.sax.SAXException;
-
-import no.nav.vedtak.sikkerhet.context.SubjectHandler;
-
-public class OnBehalfOfWithOidcCallbackHandler implements CallbackHandler {
-
- static Element getElement() throws IOException {
- return lagOnBehalfOfElement();
- }
-
- private static Element lagOnBehalfOfElement() throws IOException {
- try {
- var factory = DocumentBuilderFactory.newInstance();
- factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
- factory.setNamespaceAware(true);
- factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
- var builder = factory.newDocumentBuilder();
- var document = builder.parse(new InputSource(new StringReader(getOnBehalfOfString())));
- return document.getDocumentElement();
- } catch (ParserConfigurationException e) {
- throw StsFeil.klarteIkkeLageBuilder(e);
- } catch (SAXException e) {
- throw StsFeil.klarteIkkeLeseElement(e);
- }
- }
-
- private static String getOnBehalfOfString() {
- var base64encodedJTW = Base64.getEncoder().encodeToString(getJwtAsBytes());
- return
- ""
- + base64encodedJTW + "";
- }
-
- private static byte[] getJwtAsBytes() {
- var subjectHandler = SubjectHandler.getSubjectHandler();
- var jwt = subjectHandler.getInternSsoToken();
- if (jwt != null) {
- return jwt.getBytes(StandardCharsets.UTF_8);
- } else if (subjectHandler.getSamlToken() != null) {
- // HACK Setter jwt til tom string. Kaller aldri til STS når SamlToken er
- // tilstede (#see NAVSTSClient.requestSecurityToken())
- return "".getBytes(StandardCharsets.UTF_8);
- }
- throw new IllegalStateException("Har ikke en gyldig session.");
- }
-
- @Override
- public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
- for (var callback : callbacks) {
- if (callback instanceof DelegationCallback delegationCallback) {
- delegationCallback.setToken(getElement());
- } else {
- throw new UnsupportedCallbackException(callback);
- }
- }
- }
-
-}
diff --git a/integrasjon/webservice/src/main/java/no/nav/vedtak/sts/client/StsClientType.java b/integrasjon/webservice/src/main/java/no/nav/vedtak/sts/client/StsClientType.java
deleted file mode 100644
index dad54e213..000000000
--- a/integrasjon/webservice/src/main/java/no/nav/vedtak/sts/client/StsClientType.java
+++ /dev/null
@@ -1,6 +0,0 @@
-package no.nav.vedtak.sts.client;
-
-public enum StsClientType {
- SYSTEM_SAML,
- SECURITYCONTEXT_TIL_SAML
-}
\ No newline at end of file
diff --git a/integrasjon/webservice/src/main/java/no/nav/vedtak/sts/client/StsConfigurationUtil.java b/integrasjon/webservice/src/main/java/no/nav/vedtak/sts/client/StsConfigurationUtil.java
deleted file mode 100644
index 4f35774bc..000000000
--- a/integrasjon/webservice/src/main/java/no/nav/vedtak/sts/client/StsConfigurationUtil.java
+++ /dev/null
@@ -1,154 +0,0 @@
-package no.nav.vedtak.sts.client;
-
-import java.util.HashMap;
-
-import javax.xml.namespace.QName;
-
-import org.apache.cxf.Bus;
-import org.apache.cxf.BusException;
-import org.apache.cxf.binding.soap.Soap12;
-import org.apache.cxf.binding.soap.SoapMessage;
-import org.apache.cxf.endpoint.Client;
-import org.apache.cxf.endpoint.Endpoint;
-import org.apache.cxf.endpoint.EndpointException;
-import org.apache.cxf.frontend.ClientProxy;
-import org.apache.cxf.interceptor.LoggingInInterceptor;
-import org.apache.cxf.interceptor.LoggingOutInterceptor;
-import org.apache.cxf.message.Message;
-import org.apache.cxf.service.model.EndpointInfo;
-import org.apache.cxf.ws.addressing.WSAddressingFeature;
-import org.apache.cxf.ws.policy.EndpointPolicy;
-import org.apache.cxf.ws.policy.PolicyBuilder;
-import org.apache.cxf.ws.policy.PolicyEngine;
-import org.apache.cxf.ws.policy.attachment.reference.ReferenceResolver;
-import org.apache.cxf.ws.policy.attachment.reference.RemoteReferenceResolver;
-import org.apache.cxf.ws.security.trust.STSClient;
-import org.apache.neethi.Policy;
-
-import no.nav.foreldrepenger.konfig.Environment;
-import no.nav.vedtak.sikkerhet.kontekst.Systembruker;
-
-@SuppressWarnings("deprecation")
-public class StsConfigurationUtil {
-
- private static final Environment ENV = Environment.current();
-
- private static final String STS_URL_KEY = "securityTokenService.url";
-
- private StsConfigurationUtil() {
- throw new IllegalAccessError("Skal ikke instansieres");
- }
-
- @SuppressWarnings("resource")
- public static T wrapWithSts(T port, StsClientType samlTokenType) {
- Client client = ClientProxy.getClient(port);
- switch (samlTokenType) {
- case SECURITYCONTEXT_TIL_SAML:
- configureStsForOnBehalfOfWithOidc(client);
- break;
- case SYSTEM_SAML:
- configureStsForSystemUser(client);
- break;
- default:
- throw new IllegalArgumentException("Unknown enum value: " + samlTokenType);
- }
- return port;
- }
-
- public static void configureStsForOnBehalfOfWithOidc(Client client) {
- String location = requireProperty(STS_URL_KEY);
- String username = requireSystembruker(Systembruker.username());
- String password = requireSystembruker(Systembruker.password());
- configureStsForOnBehalfOfWithOidc(client, location, username, password);
- }
-
- public static void configureStsForOnBehalfOfWithOidc(Client client, String stsURL, String stsUsername, String stsPassword) {
- STSClient stsClient = createBasicSTSClient(StsClientType.SECURITYCONTEXT_TIL_SAML, client.getBus(), stsURL, stsUsername, stsPassword);
- stsClient.setOnBehalfOf(new OnBehalfOfWithOidcCallbackHandler());
- client.getRequestContext().put("security.sts.client", stsClient);
- client.getRequestContext().put(org.apache.cxf.ws.security.SecurityConstants.CACHE_ISSUED_TOKEN_IN_ENDPOINT, false);
- setEndpointPolicyReference(client, "classpath:stsPolicy.xml");
- }
-
- public static void configureStsForSystemUser(Client client) {
- String location = requireProperty(STS_URL_KEY);
- String username = requireSystembruker(Systembruker.username());
- String password = requireSystembruker(Systembruker.password());
-
- configureStsForSystemUser(client, location, username, password);
- }
-
- public static void configureStsForSystemUser(Client client, String location, String username, String password) {
- new WSAddressingFeature().initialize(client, client.getBus());
-
- STSClient stsClient = createBasicSTSClient(StsClientType.SYSTEM_SAML, client.getBus(), location, username, password);
- client.getRequestContext().put("security.sts.client", stsClient);
- client.getRequestContext().put(org.apache.cxf.ws.security.SecurityConstants.CACHE_ISSUED_TOKEN_IN_ENDPOINT, false);
- setEndpointPolicyReference(client, "classpath:stsPolicy.xml");
- }
-
- private static String requireProperty(String key) {
- String property = ENV.getProperty(key);
- if (property == null) {
- throw StsFeil.påkrevdSystemPropertyMangler(key);
- }
- return property;
- }
-
- private static String requireSystembruker(String property) {
- if (property == null) {
- throw StsFeil.påkrevdSystemPropertyMangler(Systembruker.class.getSimpleName());
- }
- return property;
- }
-
- @SuppressWarnings("resource")
- private static STSClient createBasicSTSClient(StsClientType type, Bus bus, String location, String username, String password) {
- STSClient stsClient = new NAVSTSClient(bus, type);
- stsClient.setWsdlLocation("wsdl/ws-trust-1.4-service.wsdl");
- stsClient.setServiceQName(new QName("http://docs.oasis-open.org/ws-sx/ws-trust/200512/wsdl", "SecurityTokenServiceProvider"));
- stsClient.setEndpointQName(new QName("http://docs.oasis-open.org/ws-sx/ws-trust/200512/wsdl", "SecurityTokenServiceSOAP"));
- stsClient.setEnableAppliesTo(false);
- stsClient.setAllowRenewing(false);
-
- try {
- // Endpoint must be set on clients request context
- // as the wrapping requestcontext is not available
- // when creating the client from WSDL (ref cxf-users mailinglist)
- stsClient.getClient().getRequestContext().put(Message.ENDPOINT_ADDRESS, location);
- } catch (BusException | EndpointException e) {
- throw StsFeil.kunneIkkeSetteEndpointAddress(location, e);
- }
-
- stsClient.getOutInterceptors().add(new LoggingOutInterceptor());
- stsClient.getInInterceptors().add(new LoggingInInterceptor());
-
- HashMap properties = new HashMap<>();
- properties.put(org.apache.cxf.ws.security.SecurityConstants.USERNAME, username);
- properties.put(org.apache.cxf.ws.security.SecurityConstants.PASSWORD, password);
- stsClient.setProperties(properties);
- return stsClient;
- }
-
- private static void setEndpointPolicyReference(Client client, String uri) {
- Policy policy = resolvePolicyReference(client, uri);
- setClientEndpointPolicy(client, policy);
- }
-
- private static Policy resolvePolicyReference(Client client, String uri) {
- PolicyBuilder policyBuilder = client.getBus().getExtension(PolicyBuilder.class);
- ReferenceResolver resolver = new RemoteReferenceResolver("", policyBuilder);
- return resolver.resolveReference(uri);
- }
-
- private static void setClientEndpointPolicy(Client client, Policy policy) {
- Endpoint endpoint = client.getEndpoint();
- EndpointInfo endpointInfo = endpoint.getEndpointInfo();
-
- PolicyEngine policyEngine = client.getBus().getExtension(PolicyEngine.class);
- SoapMessage message = new SoapMessage(Soap12.getInstance());
- EndpointPolicy endpointPolicy = policyEngine.getClientEndpointPolicy(endpointInfo, null, message);
- policyEngine.setClientEndpointPolicy(endpointInfo, endpointPolicy.updatePolicy(policy, message));
- }
-
-}
diff --git a/integrasjon/webservice/src/main/java/no/nav/vedtak/sts/client/StsFeil.java b/integrasjon/webservice/src/main/java/no/nav/vedtak/sts/client/StsFeil.java
deleted file mode 100644
index 7b80ce081..000000000
--- a/integrasjon/webservice/src/main/java/no/nav/vedtak/sts/client/StsFeil.java
+++ /dev/null
@@ -1,34 +0,0 @@
-package no.nav.vedtak.sts.client;
-
-import javax.xml.parsers.ParserConfigurationException;
-
-import org.apache.cxf.common.i18n.Exception;
-import org.xml.sax.SAXException;
-
-import no.nav.vedtak.exception.TekniskException;
-
-class StsFeil {
-
- private StsFeil() {
- }
-
- static TekniskException kanIkkeHenteSamlUtenOidcToken() {
- return new TekniskException("F-578932", "Kan ikke hente SAML uten OIDC");
- }
-
- static TekniskException klarteIkkeLageBuilder(ParserConfigurationException e) {
- return new TekniskException("F-411975", "Klarte ikke lage builder", e);
- }
-
- static TekniskException klarteIkkeLeseElement(SAXException e) {
- return new TekniskException("F-738504", "Fikk exception når forsøkte å lese onBehalfOf-element", e);
- }
-
- static TekniskException påkrevdSystemPropertyMangler(String nøkkel) {
- return new TekniskException("F-919615", String.format("Påkrevd system property '%s' mangler", nøkkel));
- }
-
- static TekniskException kunneIkkeSetteEndpointAddress(String location, Exception e) {
- return new TekniskException("F-440400", String.format("Failed to set endpoint adress of STSClient to %s", location), e);
- }
-}
diff --git a/integrasjon/webservice/src/main/resources/stsPolicy.xml b/integrasjon/webservice/src/main/resources/stsPolicy.xml
deleted file mode 100644
index 7225962f6..000000000
--- a/integrasjon/webservice/src/main/resources/stsPolicy.xml
+++ /dev/null
@@ -1,43 +0,0 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
-
- http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer
-
-
-
-
-
-
-
-
-