Set up AT env (#539)

* support other envs * use platform base url in prod * fix base_url * add at env, remove legacyOpenId * remove unused code --------- Co-authored-by: Hammerbeck <andreas.hammerbeck@digdir.no>
Altinn · Dec 5, 2024 · 8f45988 · 8f45988
1 parent 3900190
commit 8f45988
Show file tree

Hide file tree

Showing 13 changed files with 53 additions and 46 deletions.
diff --git a/.azure/applications/api/main.bicep b/.azure/applications/api/main.bicep
@@ -8,7 +8,6 @@ param environment string
 param location string
 @minLength(3)
 param platform_base_url string
-param legacy_base_url string
 @secure()
 @minLength(3)
 param sourceKeyVaultName string
@@ -90,7 +89,6 @@ module containerApp '../../modules/containerApp/main.bicep' = {
     subscription_id: subscription().subscriptionId
     principal_id: appIdentity.outputs.id
     platform_base_url: platform_base_url
-    legacy_base_url: legacy_base_url
     keyVaultUrl: keyVaultUrl
     userIdentityClientId: appIdentity.outputs.clientId
     containerAppEnvId: keyvault.getSecret('container-app-env-id')

diff --git a/.azure/applications/api/params.bicepparam b/.azure/applications/api/params.bicepparam
@@ -4,7 +4,6 @@ param namePrefix = readEnvironmentVariable('NAME_PREFIX')
 param location = 'norwayeast'
 param imageTag = readEnvironmentVariable('IMAGE_TAG')
 param platform_base_url = readEnvironmentVariable('PLATFORM_BASE_URL')
-param legacy_base_url = readEnvironmentVariable('LEGACY_BASE_URL')
 param correspondenceBaseUrl = readEnvironmentVariable('CORRESPONDENCE_BASE_URL')
 param environment = readEnvironmentVariable('ENVIRONMENT')
 param maskinporten_environment = 'test'

diff --git a/.azure/infrastructure/parameters.json b/.azure/infrastructure/parameters.json
@@ -0,0 +1,9 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+        "adminPassword": {
+            "value": "yourSecretHere123!"
+        }
+    }
+}
diff --git a/.azure/modules/containerApp/main.bicep b/.azure/modules/containerApp/main.bicep
@@ -4,7 +4,6 @@ param namePrefix string
 param image string
 param environment string
 param platform_base_url string
-param legacy_base_url string
 param maskinporten_environment string
 param correspondenceBaseUrl string
 param idportenIssuer string
@@ -58,10 +57,6 @@ var containerAppEnvVars = [
     name: 'AltinnOptions__OpenIdWellKnown'
     value: '${platform_base_url}/authentication/api/v1/openid/.well-known/openid-configuration'
   }
-  {
-    name: 'AltinnOptions__LegacyOpenIdWellKnown'
-    value: '${legacy_base_url}/authentication/api/v1/openid/.well-known/openid-configuration'
-  }
   { name: 'AltinnOptions__PlatformGatewayUrl', value: platform_base_url }
   { name: 'AltinnOptions__PlatformSubscriptionKey', secretRef: 'platform-subscription-key' }
   { name: 'AltinnOptions__AccessManagementSubscriptionKey', secretRef: 'access-management-subscription-key' }

diff --git a/.github/actions/deploy-to-environment/action.yml b/.github/actions/deploy-to-environment/action.yml
@@ -57,9 +57,6 @@ inputs:
   PLATFORM_BASE_URL:
     description: "Platform Base URL"
     required: true
-  LEGACY_BASE_URL:
-    description: "Legacy Base URL"
-    required: false
   PLATFORM_SUBSCRIPTION_KEY:
     description: "Platform Subscription Key"
     required: true
@@ -120,5 +117,4 @@ runs:
         DIALOGPORTEN_ISSUER: ${{ inputs.DIALOGPORTEN_ISSUER }}
         IDPORTEN_ISSUER: ${{ inputs.IDPORTEN_ISSUER }}
         PLATFORM_BASE_URL: ${{ inputs.PLATFORM_BASE_URL }}
-        LEGACY_BASE_URL: ${{ inputs.LEGACY_BASE_URL }}
         STORAGE_ACCOUNT_NAME: ${{ inputs.AZURE_STORAGE_ACCOUNT_NAME }}
diff --git a/.github/actions/release-version/action.yml b/.github/actions/release-version/action.yml
@@ -29,9 +29,6 @@ inputs:
   PLATFORM_BASE_URL:
     description: "Base url for Altinn platform"
     required: true
-  LEGACY_BASE_URL:
-    description: "Base url for legacy platform"
-    required: false
   STORAGE_ACCOUNT_NAME:
     description: "Name of the storage account used for attachments"
     required: true
@@ -69,7 +66,6 @@ runs:
         CLIENT_ID: ${{ inputs.AZURE_CLIENT_ID }}
         TENANT_ID: ${{ inputs.AZURE_TENANT_ID }}
         PLATFORM_BASE_URL: ${{ inputs.PLATFORM_BASE_URL }}
-        LEGACY_BASE_URL: ${{ inputs.LEGACY_BASE_URL }}
         STORAGE_ACCOUNT_NAME: ${{ inputs.STORAGE_ACCOUNT_NAME }}
         CORRESPONDENCE_BASE_URL: ${{ inputs.CORRESPONDENCE_BASE_URL }}
         DIALOGPORTEN_ISSUER: ${{ inputs.DIALOGPORTEN_ISSUER }}

diff --git a/.github/workflows/ci-cd.yaml b/.github/workflows/ci-cd.yaml
@@ -75,7 +75,44 @@ jobs:
           MASKINPORTEN_CLIENT_ID: ${{ secrets.MASKINPORTEN_CLIENT_ID }}
           MASKINPORTEN_JWK: ${{ secrets.MASKINPORTEN_JWK }}
           PLATFORM_BASE_URL: ${{ secrets.PLATFORM_BASE_URL }}
-          LEGACY_BASE_URL: ${{ secrets.LEGACY_BASE_URL }}
+          PLATFORM_SUBSCRIPTION_KEY: ${{ secrets.PLATFORM_SUBSCRIPTION_KEY }}
+          SLACK_URL: ${{ secrets.SLACK_URL }}
+
+  deploy-at22:
+    name: deploy at22
+    runs-on: ubuntu-latest
+    environment: test
+    if: always() && !failure() && !cancelled() 
+    needs: [get-version, publish, test]
+    permissions: 
+      id-token: write
+      contents: read
+      packages: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Deploy to environment
+        uses: ./.github/actions/deploy-to-environment
+        with:
+          environment: at22
+          imageTag: ${{ needs.get-version.outputs.imageTag }}
+          ACCESS_MANAGEMENT_SUBSCRIPTION_KEY: ${{ secrets.ACCESS_MANAGEMENT_SUBSCRIPTION_KEY }}
+          AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
+          AZURE_ENVIRONMENT_KEY_VAULT_NAME: ${{ secrets.AZURE_ENVIRONMENT_KEY_VAULT_NAME }}
+          AZURE_NAME_PREFIX: ${{ secrets.AZURE_NAME_PREFIX }}
+          AZURE_STORAGE_ACCOUNT_NAME: ${{ secrets.AZURE_STORAGE_ACCOUNT_NAME }}
+          AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+          AZURE_TEST_ACCESS_CLIENT_ID: ${{ secrets.AZURE_TEST_ACCESS_CLIENT_ID }}
+          CORRESPONDENCE_BASE_URL: ${{ secrets.CORRESPONDENCE_BASE_URL }}
+          DIALOGPORTEN_ISSUER: ${{ secrets.DIALOGPORTEN_ISSUER }}
+          IDPORTEN_CLIENT_ID: ${{ secrets.IDPORTEN_CLIENT_ID }}
+          IDPORTEN_CLIENT_SECRET: ${{ secrets.IDPORTEN_CLIENT_SECRET }}
+          IDPORTEN_ISSUER: ${{ secrets.IDPORTEN_ISSUER }}
+          MASKINPORTEN_CLIENT_ID: ${{ secrets.MASKINPORTEN_CLIENT_ID }}
+          MASKINPORTEN_JWK: ${{ secrets.MASKINPORTEN_JWK }}
+          PLATFORM_BASE_URL: ${{ secrets.PLATFORM_BASE_URL }}
           PLATFORM_SUBSCRIPTION_KEY: ${{ secrets.PLATFORM_SUBSCRIPTION_KEY }}
           SLACK_URL: ${{ secrets.SLACK_URL }}
 
@@ -117,7 +154,6 @@ jobs:
           MASKINPORTEN_CLIENT_ID: ${{ secrets.MASKINPORTEN_CLIENT_ID }}
           MASKINPORTEN_JWK: ${{ secrets.MASKINPORTEN_JWK }}
           PLATFORM_BASE_URL: ${{ secrets.PLATFORM_BASE_URL }}
-          LEGACY_BASE_URL: ${{ secrets.LEGACY_BASE_URL }}
           PLATFORM_SUBSCRIPTION_KEY: ${{ secrets.PLATFORM_SUBSCRIPTION_KEY }}
           SLACK_URL: ${{ secrets.SLACK_URL }}
 
@@ -159,7 +195,6 @@ jobs:
           MASKINPORTEN_CLIENT_ID: ${{ secrets.MASKINPORTEN_CLIENT_ID }}
           MASKINPORTEN_JWK: ${{ secrets.MASKINPORTEN_JWK }}
           PLATFORM_BASE_URL: ${{ secrets.PLATFORM_BASE_URL }}
-          LEGACY_BASE_URL: ${{ secrets.PLATFORM_BASE_URL }}
           PLATFORM_SUBSCRIPTION_KEY: ${{ secrets.PLATFORM_SUBSCRIPTION_KEY }}
           SLACK_URL: ${{ secrets.SLACK_URL }}
 

diff --git a/.github/workflows/deploy-to-environment.yml b/.github/workflows/deploy-to-environment.yml
@@ -14,6 +14,7 @@ on:
           - test
           - staging
           - production
+          - at22
 
 jobs:
   get-version: 
@@ -77,6 +78,5 @@ jobs:
         MASKINPORTEN_CLIENT_ID: ${{ secrets.MASKINPORTEN_CLIENT_ID }}
         MASKINPORTEN_JWK: ${{ secrets.MASKINPORTEN_JWK }}
         PLATFORM_BASE_URL: ${{ secrets.PLATFORM_BASE_URL }}
-        LEGACY_BASE_URL: ${{ secrets.LEGACY_BASE_URL }}
         PLATFORM_SUBSCRIPTION_KEY: ${{ secrets.PLATFORM_SUBSCRIPTION_KEY }}
         SLACK_URL: ${{ secrets.SLACK_URL }}
diff --git a/.github/workflows/publish-branch.yml b/.github/workflows/publish-branch.yml
@@ -35,7 +35,6 @@ jobs:
             AZURE_ENVIRONMENT_KEY_VAULT_NAME: ${{ secrets.AZURE_ENVIRONMENT_KEY_VAULT_NAME }}
             AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
             PLATFORM_BASE_URL: ${{ secrets.PLATFORM_BASE_URL }}
-            LEGACY_BASE_URL: ${{ secrets.LEGACY_BASE_URL }}
             CORRESPONDENCE_BASE_URL: ${{ secrets.CORRESPONDENCE_BASE_URL }}
             STORAGE_ACCOUNT_NAME: ${{ secrets.AZURE_STORAGE_ACCOUNT_NAME }}
             DIALOGPORTEN_ISSUER: ${{ secrets.DIALOGPORTEN_ISSUER }}

diff --git a/src/Altinn.Correspondence.API/Auth/DependencyInjection.cs b/src/Altinn.Correspondence.API/Auth/DependencyInjection.cs
@@ -48,25 +48,6 @@ public static void ConfigureAuthentication(this IServiceCollection services, ICo
                         OnChallenge = AltinnTokenEventsHelper.OnChallenge
                     };
                 })
-                .AddJwtBearer(AuthorizationConstants.Legacy, options =>
-                {
-                    options.SaveToken = true;
-                    options.MetadataAddress = altinnOptions.LegacyOpenIdWellKnown ?? altinnOptions.OpenIdWellKnown;
-                    options.TokenValidationParameters = new TokenValidationParameters
-                    {
-                        ValidateIssuerSigningKey = true,
-                        ValidateIssuer = true,
-                        ValidateAudience = false,
-                        RequireExpirationTime = true,
-                        ValidateLifetime = !hostEnvironment.IsDevelopment(), // Do not validate lifetime in tests
-                        ClockSkew = TimeSpan.Zero
-                    };
-                    options.Events = new JwtBearerEvents()
-                    {
-                        OnAuthenticationFailed = AltinnTokenEventsHelper.OnAuthenticationFailed,
-                        OnChallenge = AltinnTokenEventsHelper.OnChallenge
-                    };
-                })
                 .AddJwtBearer(AuthorizationConstants.MaskinportenScheme, options => // To support maskinporten tokens 
                 {
                     options.SaveToken = true;
@@ -160,7 +141,7 @@ public static void ConfigureAuthorization(this IServiceCollection services, ICon
                 options.AddPolicy(AuthorizationConstants.DownloadAttachmentPolicy, policy =>
                     policy.RequireScopeIfAltinn(config, AuthorizationConstants.RecipientScope)
                           .AddAuthenticationSchemes(AuthorizationConstants.AllSchemes));
-                options.AddPolicy(AuthorizationConstants.Legacy, policy => policy.AddRequirements(new ScopeAccessRequirement(AuthorizationConstants.LegacyScope)).AddAuthenticationSchemes(AuthorizationConstants.Legacy));
+                options.AddPolicy(AuthorizationConstants.Legacy, policy => policy.AddRequirements(new ScopeAccessRequirement(AuthorizationConstants.LegacyScope)).AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme));
             });
         }
     }

diff --git a/src/Altinn.Correspondence.API/Controllers/LegacyCorrespondenceController.cs b/src/Altinn.Correspondence.API/Controllers/LegacyCorrespondenceController.cs
@@ -21,7 +21,7 @@ namespace Altinn.Correspondence.API.Controllers
     [ApiController]
     [ApiExplorerSettings(IgnoreApi = true)]
     [Route("correspondence/api/v1/legacy/correspondence")]
-    [Authorize(Policy = AuthorizationConstants.Legacy, AuthenticationSchemes = AuthorizationConstants.LegacyOrDefaultScheme)]
+    [Authorize(Policy = AuthorizationConstants.Legacy)]
     public class LegacyCorrespondenceController : Controller
     {
         private readonly ILogger<LegacyCorrespondenceController> _logger;

diff --git a/src/Altinn.Correspondence.Core/Options/AltinnOptions.cs b/src/Altinn.Correspondence.Core/Options/AltinnOptions.cs
@@ -6,5 +6,4 @@ public class AltinnOptions
     public string PlatformGatewayUrl { get; set; } = string.Empty;
     public string PlatformSubscriptionKey { get; set; } = string.Empty;
     public string AccessManagementSubscriptionKey { get; set; } = string.Empty;
-    public string LegacyOpenIdWellKnown { get; set; } = string.Empty;
 }
diff --git a/src/Altinn.Correspondence.Integrations/Altinn/Authorization/AltinnAuthorizationService.cs b/src/Altinn.Correspondence.Integrations/Altinn/Authorization/AltinnAuthorizationService.cs
@@ -41,16 +41,16 @@ public AltinnAuthorizationService(HttpClient httpClient, IOptions<AltinnOptions>
         _logger = logger;
     }
 
-    public Task<bool> CheckAccessAsSender(ClaimsPrincipal? user, string resourceId, string sender, string? instance, CancellationToken cancellationToken = default) 
+    public Task<bool> CheckAccessAsSender(ClaimsPrincipal? user, string resourceId, string sender, string? instance, CancellationToken cancellationToken = default)
         => CheckUserAccess(
             user,
             resourceId,
             sender.WithoutPrefix(),
             instance,
             new List<ResourceAccessLevel> { ResourceAccessLevel.Write },
             cancellationToken);
-    
-    public Task<bool> CheckAccessAsSender(ClaimsPrincipal? user, CorrespondenceEntity correspondence, CancellationToken cancellationToken = default) => 
+
+    public Task<bool> CheckAccessAsSender(ClaimsPrincipal? user, CorrespondenceEntity correspondence, CancellationToken cancellationToken = default) =>
         CheckUserAccess(
             user,
             correspondence.ResourceId,