wip

src/main/kotlin/no/nav/syfo/brukertilgang/BrukerTilgangController.kt

@@ -2,20 +2,17 @@ package no.nav.syfo.brukertilgang
 
 import no.nav.security.token.support.core.api.ProtectedWithClaims
 import no.nav.security.token.support.core.context.TokenValidationContextHolder
-import no.nav.syfo.metric.Metrikk
 import no.nav.syfo.auth.tokenx.TokenXUtil
 import no.nav.syfo.auth.tokenx.TokenXUtil.TokenXIssuer.TOKENX
 import no.nav.syfo.auth.tokenx.TokenXUtil.fnrFromIdportenTokenX
+import no.nav.syfo.metric.Metrikk
 import no.nav.syfo.util.NAV_PERSONIDENT_HEADER
 import org.slf4j.LoggerFactory
 import org.springframework.beans.factory.annotation.Value
 import org.springframework.http.HttpStatus
-import org.springframework.util.MultiValueMap
-import org.springframework.util.ObjectUtils
 import org.springframework.web.bind.annotation.GetMapping
 import org.springframework.web.bind.annotation.RequestHeader
 import org.springframework.web.bind.annotation.RequestMapping
-import org.springframework.web.bind.annotation.RequestParam
 import org.springframework.web.bind.annotation.ResponseBody
 import org.springframework.web.bind.annotation.RestController
 import org.springframework.web.server.ResponseStatusException
@@ -25,19 +22,18 @@ import org.springframework.web.server.ResponseStatusException
 @RequestMapping(value = ["/api/v1/brukertilgang"])
 class BrukerTilgangController(
     private val contextHolder: TokenValidationContextHolder,
-    private val brukertilgangConsumer: BrukertilgangClient,
+    private val brukertilgangClient: BrukertilgangClient,
     private val brukertilgangService: BrukertilgangService,
     private val metrikk: Metrikk,
     @Value("\${OPPFOLGINGSPLAN_FRONTEND_CLIENT_ID}")
     private val oppfolgingsplanClientId: String,
 ) {
     @GetMapping
-    fun harTilgang(@RequestParam(value = "fnr", required = false) oppslaattFnr: String?): RSTilgang {
+    fun harTilgang(@RequestHeader(NAV_PERSONIDENT_HEADER) fnr: String): RSTilgang {
         val innloggetIdent = TokenXUtil.validateTokenXClaims(contextHolder, oppfolgingsplanClientId)
             .fnrFromIdportenTokenX()
             .value
-        val oppslaattIdent = if (ObjectUtils.isEmpty(oppslaattFnr)) innloggetIdent else oppslaattFnr
-        if (!brukertilgangService.tilgangTilOppslattIdent(innloggetIdent, oppslaattIdent!!)) {
+        if (!brukertilgangService.tilgangTilOppslattIdent(innloggetIdent, fnr)) {
             LOG.error("Ikke tilgang: Bruker spør om noen andre enn seg selv eller egne ansatte")
             throw ResponseStatusException(HttpStatus.FORBIDDEN)
         }
@@ -47,14 +43,12 @@ class BrukerTilgangController(
 
     @GetMapping(path = ["/ansatt"])
     @ResponseBody
-    fun accessToAnsatt(@RequestHeader headers: MultiValueMap<String, String>): BrukerTilgang {
-        val oppslaattIdent = headers.getFirst(NAV_PERSONIDENT_HEADER.lowercase())
-
-        require(!ObjectUtils.isEmpty(oppslaattIdent)) { "Fant ikke Ident i Header ved sjekk av tilgang til Ident" }
+    fun accessToAnsatt(@RequestHeader(NAV_PERSONIDENT_HEADER) fnr: String): BrukerTilgang {
+        TokenXUtil.validateTokenXClaims(contextHolder, oppfolgingsplanClientId)
 
         metrikk.tellHendelse("accessToIdent")
 
-        return BrukerTilgang(brukertilgangConsumer.hasAccessToAnsatt(oppslaattIdent!!))
+        return BrukerTilgang(brukertilgangClient.hasAccessToAnsatt(fnr))
     }
 
     companion object {

src/test/kotlin/no/nav/syfo/brukertilgang/BrukerTilgangControllerTest.kt

@@ -0,0 +1,60 @@
+package no.nav.syfo.brukertilgang
+
+import io.kotest.assertions.throwables.shouldThrowExactly
+import io.kotest.core.spec.style.FunSpec
+import io.kotest.matchers.shouldBe
+import io.mockk.every
+import io.mockk.mockk
+import no.nav.security.token.support.core.context.TokenValidationContext
+import no.nav.security.token.support.core.context.TokenValidationContextHolder
+import no.nav.security.token.support.core.jwt.JwtTokenClaims
+import no.nav.syfo.auth.tokenx.TokenXUtil
+import no.nav.syfo.metric.Metrikk
+import org.springframework.http.HttpStatus
+import org.springframework.web.server.ResponseStatusException
+
+class BrukerTilgangControllerTest : FunSpec({
+    val contextHolder = mockk<TokenValidationContextHolder>()
+    val mockTokenValidationContext = mockk<TokenValidationContext>()
+    val mockJwtTokenClaims = mockk<JwtTokenClaims>()
+    val brukertilgangConsumer = mockk<BrukertilgangClient>()
+    val brukertilgangService = mockk<BrukertilgangService>()
+    val metrikk = mockk<Metrikk>(relaxed = true)
+    val controller =
+        BrukerTilgangController(contextHolder, brukertilgangConsumer, brukertilgangService, metrikk, "clientId")
+
+    val validFnr = "12345678910"
+    val invalidFnr = "123"
+
+    beforeTest {
+        every { contextHolder.tokenValidationContext } returns mockTokenValidationContext
+        every { mockTokenValidationContext.getClaims(TokenXUtil.TokenXIssuer.TOKENX) } returns mockJwtTokenClaims
+        every { mockJwtTokenClaims.getStringClaim("pid") } returns validFnr
+        every { mockJwtTokenClaims.getStringClaim("client_id") } returns "clientId"
+    }
+
+    test("harTilgang returns no access if brukertilgang returns false") {
+        every { brukertilgangService.tilgangTilOppslattIdent(any(), any()) } returns false
+        shouldThrowExactly<ResponseStatusException> {
+            controller.harTilgang(invalidFnr)
+        }.statusCode shouldBe HttpStatus.FORBIDDEN
+    }
+
+    test("harTilgang returns access if brukertilgang returns true") {
+        every { brukertilgangService.tilgangTilOppslattIdent(any(), any()) } returns true
+        val response = controller.harTilgang(validFnr)
+        response.harTilgang shouldBe true
+    }
+
+    test("accessToAnsatt returns no access if brukertilgang returns false") {
+        every { brukertilgangConsumer.hasAccessToAnsatt(any()) } returns false
+        val response = controller.accessToAnsatt(invalidFnr)
+        response.tilgang shouldBe false
+    }
+
+    test("accessToAnsatt returns access if brukertilgang returns true") {
+        every { brukertilgangConsumer.hasAccessToAnsatt(any()) } returns true
+        val response = controller.accessToAnsatt(validFnr)
+        response.tilgang shouldBe true
+    }
+})

src/test/kotlin/no/nav/syfo/kontaktinfo/KontaktinfoControllerTest.kt

@@ -4,19 +4,31 @@ import io.kotest.core.spec.style.FunSpec
 import io.kotest.matchers.shouldBe
 import io.mockk.every
 import io.mockk.mockk
+import no.nav.security.token.support.core.context.TokenValidationContext
 import no.nav.security.token.support.core.context.TokenValidationContextHolder
+import no.nav.security.token.support.core.jwt.JwtTokenClaims
+import no.nav.syfo.auth.tokenx.TokenXUtil.TokenXIssuer.TOKENX
 import no.nav.syfo.brukertilgang.BrukertilgangService
 import org.springframework.http.HttpStatus
 
 class KontaktinfoControllerTest : FunSpec({
     val contextHolder = mockk<TokenValidationContextHolder>()
+    val mockTokenValidationContext = mockk<TokenValidationContext>()
+    val mockJwtTokenClaims = mockk<JwtTokenClaims>()
     val brukertilgangService = mockk<BrukertilgangService>()
     val krrClient = mockk<KrrClient>()
     val controller = KontaktinfoController(contextHolder, brukertilgangService, krrClient, "clientId")
 
     val validFnr = "12345678910"
     val invalidFnr = "123"
 
+    beforeTest {
+        every { contextHolder.tokenValidationContext } returns mockTokenValidationContext
+        every { mockTokenValidationContext.getClaims(TOKENX) } returns mockJwtTokenClaims
+        every { mockJwtTokenClaims.getStringClaim("pid") } returns validFnr
+        every { mockJwtTokenClaims.getStringClaim("client_id") } returns "clientId"
+    }
+
     test("Invalid fnr returns forbidden") {
         every { brukertilgangService.tilgangTilOppslattIdent(any(), any()) } returns true
         val response = controller.getKontaktinfo(invalidFnr)