WebFuzzing
diff --git a/‎auth/tiltaksgjennomforing-api-auth.yaml‎
Lines changed: 26 additions & 0 deletions b/‎auth/tiltaksgjennomforing-api-auth.yaml‎
Lines changed: 26 additions & 0 deletions
diff --git a/‎dockerfiles/tiltaksgjennomforing-api.dockerfile‎
Lines changed: 1 addition & 1 deletion b/‎dockerfiles/tiltaksgjennomforing-api.dockerfile‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎dockerfiles/tiltaksgjennomforing-api.yaml‎
Lines changed: 2 additions & 1 deletion b/‎dockerfiles/tiltaksgjennomforing-api.yaml‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎jdk_17_maven/em/embedded/rest/tiltaksgjennomforing-api/src/main/java/em/embedded/rest/tiltaksgjennomforing/api/EmbeddedEvoMasterController.java‎
Lines changed: 93 additions & 15 deletions b/‎jdk_17_maven/em/embedded/rest/tiltaksgjennomforing-api/src/main/java/em/embedded/rest/tiltaksgjennomforing/api/EmbeddedEvoMasterController.java‎
Lines changed: 93 additions & 15 deletions
@@ -0,0 +1,26 @@
+auth:
+  - name: "aad"
+    loginEndpointAuth:
+      externalEndpointURL: "http://localhost:8083/aad/token"
+      payloadRaw: "NAVident=Q987654&grant_type=client_credentials&code=foo&client_id=foo&client_secret=secret"
+  - name: "system"
+    loginEndpointAuth:
+      externalEndpointURL: "http://localhost:8083/system/token"
+      payloadRaw: "sub=system&grant_type=client_credentials&code=foo&client_id=foo&client_secret=secret"
+  - name: "tokenxLevel3"
+    loginEndpointAuth:
+      externalEndpointURL: "http://localhost:8083/tokenx/token"
+      payloadRaw: "pid=88888888888&grant_type=client_credentials&code=foo&client_id=foo&client_secret=secret"
+  - name: "tokenxLevel4"
+    loginEndpointAuth:
+      externalEndpointURL: "http://localhost:8083/tokenx/token"
+      payloadRaw: "pid=99999999999&grant_type=client_credentials&code=foo&client_id=foo&client_secret=secret"
+
+authTemplate:
+  loginEndpointAuth:
+    verb: POST
+    contentType: application/x-www-form-urlencoded
+    token:
+      extractFromField: /access_token
+      httpHeaderName: Authorization
+      headerPrefix: "Bearer "
@@ -14,4 +14,4 @@ ENTRYPOINT \
 #    -javaagent:jacocoagent.jar=destfile=./jacoco/tiltaksgjennomforing-api__${TOOL}__${RUN}__jacoco.exec,append=false,dumponexit=true \
     -javaagent:jacocoagent.jar=output=tcpserver,address=*,port=6300,append=false,dumponexit=false \
      -jar tiltaksgjennomforing-api-sut.jar \
-    --server.port=8080 --spring.profiles.active=dev-gcp-labs --spring.datasource.driverClassName=org.postgresql.Driver --spring.sql.init.platform=postgres --no.nav.security.jwt.issuer.aad.discoveryurl=http://mock-oauth2-server:8083/azuread/.well-known/openid-configuration --no.nav.security.jwt.issuer.tokenx.discoveryurl=http://mock-oauth2-server:8083/azuread/.well-known/openid-configuration --management.server.port=-1 --server.ssl.enabled=false --spring.datasource.url=jdbc:postgresql://db:5432/tiltaksgjennomforing  --spring.datasource.username=postgres --spring.datasource.password=password --sentry.logging.enabled=false --sentry.environment=local --logging.level.root=OFF --logging.config=classpath:logback-spring.xml --logging.level.org.springframework=INFO
+    --server.port=8080 --spring.profiles.active=dev-gcp-labs --spring.datasource.driverClassName=org.postgresql.Driver --spring.sql.init.platform=postgres --no.nav.security.jwt.issuer.aad.discoveryurl=http://mock-oauth2-server:8083/aad/.well-known/openid-configuration --no.nav.security.jwt.issuer.aad.accepted_audience=aad --no.nav.security.jwt.issuer.system.discoveryurl=http://mock-oauth2-server:8083/system/.well-known/openid-configuration --no.nav.security.jwt.issuer.system.accepted_audience=system --no.nav.security.jwt.issuer.tokenx.discoveryurl=http://mock-oauth2-server:8083/tokenx/.well-known/openid-configuration --no.nav.security.jwt.issuer.tokenx.accepted_audience=tokenx --management.server.port=-1 --server.ssl.enabled=false --spring.datasource.url=jdbc:postgresql://db:5432/tiltaksgjennomforing  --spring.datasource.username=postgres --spring.datasource.password=password --sentry.logging.enabled=false --sentry.environment=local --logging.level.root=OFF --logging.config=classpath:logback-spring.xml --logging.level.org.springframework=INFO
@@ -35,4 +35,5 @@ services:
       JSON_CONFIG_PATH: /app/mockoauth2.json
     volumes:
       - ../scripts/dockerize/data/additional_files/tiltaksgjennomforing-api/mockoauth2.json:/app/mockoauth2.json
-  
+    ports:
+        - "8083:8083"
@@ -1,14 +1,19 @@
 package em.embedded.rest.tiltaksgjennomforing.api;
 
+import com.nimbusds.jose.JOSEObjectType;
 import no.nav.security.mock.oauth2.MockOAuth2Server;
 import no.nav.security.mock.oauth2.OAuth2Config;
 import no.nav.security.mock.oauth2.token.RequestMapping;
 import no.nav.security.mock.oauth2.token.RequestMappingTokenCallback;
 import no.nav.tag.tiltaksgjennomforing.TiltaksgjennomforingApplication;
+import no.nav.tag.tiltaksgjennomforing.autorisasjon.TokenUtils;
 import org.evomaster.client.java.controller.EmbeddedSutController;
 import org.evomaster.client.java.controller.InstrumentedSutStarter;
 import org.evomaster.client.java.controller.api.dto.SutInfoDto;
 import org.evomaster.client.java.controller.api.dto.auth.AuthenticationDto;
+import org.evomaster.client.java.controller.api.dto.auth.HttpVerb;
+import org.evomaster.client.java.controller.api.dto.auth.LoginEndpointDto;
+import org.evomaster.client.java.controller.api.dto.auth.TokenHandlingDto;
 import org.evomaster.client.java.controller.api.dto.database.schema.DatabaseType;
 import org.evomaster.client.java.controller.problem.ProblemInfo;
 import org.evomaster.client.java.controller.problem.RestProblem;
@@ -45,8 +50,7 @@ public class EmbeddedEvoMasterController extends EmbeddedSutController {
     private List<DbSpecification> dbSpecification;
 
     private MockOAuth2Server oAuth2Server;
-    private final String ISSUER_ID = "azuread";
-    private final String DEFAULT_AUDIENCE = "some-audience";
+    private final String BESLUTTER_AD_GROUP = "99ea78dc-db77-44d0-b193-c5dc22f01e1d";
 
 
     public EmbeddedEvoMasterController() {
@@ -79,10 +83,39 @@ public String getPackagePrefixesToCover() {
         return "no.nav.tag.tiltaksgjennomforing.";
     }
 
+    private AuthenticationDto getAuthenticationDto(String label, String keyValue, String oauth2Url){
+
+        AuthenticationDto dto = new AuthenticationDto(label);
+        LoginEndpointDto x = new LoginEndpointDto();
+        dto.loginEndpointAuth = x;
+
+        x.externalEndpointURL = oauth2Url;
+        x.payloadRaw = keyValue+"&grant_type=client_credentials&code=foo&client_id=foo&client_secret=secret";
+        x.verb = HttpVerb.POST;
+        x.contentType = "application/x-www-form-urlencoded";
+        x.expectCookies = false;
+
+        TokenHandlingDto token = new TokenHandlingDto();
+        token.headerPrefix = "Bearer ";
+        token.httpHeaderName = "Authorization";
+        token.extractFromField = "/access_token";
+        x.token = token;
+
+        return dto;
+    }
+
     @Override
     public List<AuthenticationDto> getInfoForAuthentication() {
-        //TODO
-        return null;
+        String urlAad = oAuth2Server.baseUrl() + "aad/token";
+        String urlSystem = oAuth2Server.baseUrl() + "system/token";
+        String urlTokenX = oAuth2Server.baseUrl() + "tokenx/token";
+
+        return Arrays.asList(
+                getAuthenticationDto("aad","NAVident=Q987654", urlAad),
+                getAuthenticationDto("system","sub=system", urlSystem),
+                getAuthenticationDto("tokenxLevel3","pid=88888888888", urlTokenX),
+                getAuthenticationDto("tokenxLevel4","pid=99999999999", urlTokenX)
+        );
     }
 
     @Override
@@ -98,32 +131,71 @@ public SutInfoDto.OutputFormat getPreferredOutputFormat() {
         return SutInfoDto.OutputFormat.JAVA_JUNIT_5;
     }
 
+    private RequestMapping getRequestMapping(String key, String value, String issuer, String subject, List<String> audience, String navIdent, String acrLevel, List<String> groups, String pid) {
+        Map<String,Object> claims = new HashMap<>();
+        claims.put("groups", groups);
+        claims.put("NAVident", navIdent);
+        claims.put("sub", subject);
+        claims.put("aud", audience);
+        claims.put("roles", Arrays.asList("access_as_application"));
+        claims.put("pid", pid);
+        claims.put("tid", issuer);
+        claims.put("azp", navIdent);
+        claims.put("acr", acrLevel);
+        claims.put("ver", "1.0");
+        claims.put("nonce", "myNonce");
+
+        RequestMapping rm = new RequestMapping(key, value, claims, JOSEObjectType.JWT.getType());
+
+        return rm;
+    }
 
     private OAuth2Config getOAuth2Config(){
 
         List<RequestMapping> mappings = Arrays.asList(
+                getRequestMapping("NAVident", "Q987654", "aad","blablabla", Arrays.asList("aad"), "Q987654", "Level4", Arrays.asList(BESLUTTER_AD_GROUP), "aad")
+        );
+
+        List<RequestMapping> mappingsSystem = Arrays.asList(
+                getRequestMapping("sub", "system", "system","system", Arrays.asList("system"), null, null, null, "system")
+        );
+
+        List<RequestMapping> mappingsTokenx = Arrays.asList(
+                getRequestMapping("pid", "88888888888", "tokenx","tokenx", Arrays.asList("tokenx"), null, "Level3", null, "88888888888"),
+                getRequestMapping("pid", "99999999999", "tokenx","tokenx", Arrays.asList("tokenx"), null, "Level4", null, "99999999999")
         );
 
         RequestMappingTokenCallback callback = new RequestMappingTokenCallback(
-                ISSUER_ID,
+                "aad",
                 mappings,
                 360000
         );
+        RequestMappingTokenCallback callbackSystem = new RequestMappingTokenCallback(
+                "system",
+                mappingsSystem,
+                360000
+        );
+
+        RequestMappingTokenCallback callbackTokenx = new RequestMappingTokenCallback(
+                "tokenx",
+                mappingsTokenx,
+                360000
+        );
 
         Set<RequestMappingTokenCallback> callbacks = Set.of(
-                callback
+                callback,
+                callbackSystem,
+                callbackTokenx
         );
 
-        OAuth2Config config = new OAuth2Config(
+        return new OAuth2Config(
                 true,
                 null,
                 null,
                 false,
                 new no.nav.security.mock.oauth2.token.OAuth2TokenProvider(),
                 callbacks
         );
-
-        return config;
     }
 
     @Override
@@ -134,12 +206,14 @@ public String startSut() {
 
         oAuth2Server = new  MockOAuth2Server(getOAuth2Config());
         oAuth2Server.start(8081); //ephemeral gives issues in generated tests
-        String wellKnownUrl = oAuth2Server.wellKnownUrl(ISSUER_ID).toString();
+        String wellKnownUrl = oAuth2Server.wellKnownUrl("aad").toString();
+        String wellKnownUrlSystem = oAuth2Server.wellKnownUrl("system").toString();
+        String wellKnownUrlTokenX = oAuth2Server.wellKnownUrl("tokenx").toString();
 
         //TODO should go through all the environment variables in application properties
         //TODO some of these might not be needed any more after change of profile
         System.setProperty("AZURE_APP_WELL_KNOWN_URL",wellKnownUrl);
-        System.setProperty("TOKEN_X_WELL_KNOWN_URL",wellKnownUrl);
+        System.setProperty("TOKEN_X_WELL_KNOWN_URL",wellKnownUrlTokenX);
         System.setProperty("VAULT_TOKEN","VAULT_TOKEN");
         System.setProperty("KAFKA_BROKERS","KAFKA_BROKERS");
         System.setProperty("KAFKA_TRUSTSTORE_PATH","KAFKA_TRUSTSTORE_PATH");
@@ -150,9 +224,9 @@ public String startSut() {
         System.setProperty("KAFKA_SCHEMA_REGISTRY_USER","KAFKA_SCHEMA_REGISTRY_USER");
         System.setProperty("KAFKA_SCHEMA_REGISTRY_PASSWORD","KAFKA_SCHEMA_REGISTRY_PASSWORD");
         System.setProperty("AZURE_APP_TENANT_ID","AZURE_APP_TENANT_ID");
-        System.setProperty("AZURE_APP_CLIENT_ID","AZURE_APP_CLIENT_ID");
-        System.setProperty("AZURE_APP_CLIENT_SECRET","AZURE_APP_CLIENT_SECRET");
-        System.setProperty("beslutter.ad.gruppe","99ea78dc-db77-44d0-b193-c5dc22f01e1d");
+        System.setProperty("AZURE_APP_CLIENT_ID","aad");
+        System.setProperty("AZURE_APP_CLIENT_SECRET","secret");
+        System.setProperty("beslutter.ad.gruppe",BESLUTTER_AD_GROUP);
 
         ctx = SpringApplication.run(TiltaksgjennomforingApplication.class, new String[]{
                 "--server.port=0",
@@ -161,7 +235,11 @@ public String startSut() {
                 "--spring.datasource.driverClassName=org.postgresql.Driver",
                 "--spring.sql.init.platform=postgres",
                 "--no.nav.security.jwt.issuer.aad.discoveryurl=" + wellKnownUrl,
-                "--no.nav.security.jwt.issuer.tokenx.discoveryurl=" + wellKnownUrl,
+                "--no.nav.security.jwt.issuer.aad.accepted_audience=aad",
+                "--no.nav.security.jwt.issuer.system.discoveryurl=" + wellKnownUrlSystem,
+                "--no.nav.security.jwt.issuer.system.accepted_audience=system",
+                "--no.nav.security.jwt.issuer.tokenx.discoveryurl=" + wellKnownUrlTokenX,
+                "--no.nav.security.jwt.issuer.tokenx.accepted_audience=tokenx",
                 "--management.server.port=-1",
                 "--server.ssl.enabled=false",
                 "--spring.datasource.url=" + postgresURL,