From 83da7834cc71b6895e291bc201c50630120ab487 Mon Sep 17 00:00:00 2001
From: JeremiahUy <jeremiah.uy@outlook.com>
Date: Fri, 14 Feb 2025 14:45:48 +0100
Subject: [PATCH] ADD: new azure group for PVO

Co-authored-by: andregroseth <lord.andre.groseth@nav.no>
---
 apps/backend/nais/backend-dev-gcp-vars.yaml                  | 2 ++
 apps/backend/nais/backend-prod-gcp-vars.yaml                 | 2 ++
 .../main/java/no/nav/data/common/security/RoleSupport.java   | 3 +++
 .../java/no/nav/data/common/security/SecurityProperties.java | 1 +
 .../main/java/no/nav/data/common/security/SecurityUtils.java | 4 ++++
 .../no/nav/data/common/security/azure/AzureUserInfo.java     | 5 +++++
 .../main/java/no/nav/data/common/security/dto/AppRole.java   | 3 ++-
 .../main/java/no/nav/data/common/security/dto/UserInfo.java  | 2 ++
 apps/backend/src/main/resources/application-local.yml        | 1 +
 apps/backend/src/main/resources/application.yml              | 1 +
 10 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/apps/backend/nais/backend-dev-gcp-vars.yaml b/apps/backend/nais/backend-dev-gcp-vars.yaml
index d99b03bab..271274b4e 100644
--- a/apps/backend/nais/backend-dev-gcp-vars.yaml
+++ b/apps/backend/nais/backend-dev-gcp-vars.yaml
@@ -22,5 +22,7 @@ env:
     value: bf05a29f-6f80-4da1-b419-22c802fd41e7
   - name: AZURE_CLIENT_GROUPS_KRAVEIER
     value: d99d875c-c028-46a4-94bc-a87a633b3eee
+  - name: AZURE_CLIENT_GROUPS_PVO
+    value: 1e0cb856-a8ba-4294-aab3-8162e3ebe1ea
   - name: CLIENT_BEGREPSKATALOG_FRONTEND_URL
     value: https://begrepskatalog.intern.nav.no/begrep
\ No newline at end of file
diff --git a/apps/backend/nais/backend-prod-gcp-vars.yaml b/apps/backend/nais/backend-prod-gcp-vars.yaml
index 59471782e..c57bdcf49 100644
--- a/apps/backend/nais/backend-prod-gcp-vars.yaml
+++ b/apps/backend/nais/backend-prod-gcp-vars.yaml
@@ -19,5 +19,7 @@ env:
     value: bf05a29f-6f80-4da1-b419-22c802fd41e7
   - name: AZURE_CLIENT_GROUPS_KRAVEIER
     value: d99d875c-c028-46a4-94bc-a87a633b3eee
+  - name: AZURE_CLIENT_GROUPS_PVO
+    value: 1e0cb856-a8ba-4294-aab3-8162e3ebe1ea
   - name: CLIENT_BEGREPSKATALOG_FRONTEND_URL
     value: https://begrepskatalog.intern.nav.no/begrep
\ No newline at end of file
diff --git a/apps/backend/src/main/java/no/nav/data/common/security/RoleSupport.java b/apps/backend/src/main/java/no/nav/data/common/security/RoleSupport.java
index 63ca7fa5b..5d2a6c815 100644
--- a/apps/backend/src/main/java/no/nav/data/common/security/RoleSupport.java
+++ b/apps/backend/src/main/java/no/nav/data/common/security/RoleSupport.java
@@ -46,6 +46,9 @@ private AppRole roleFor(String group) {
         if (securityProperties.getKraveierGroups().contains(group)) {
             return AppRole.KRAVEIER;
         }
+        if (securityProperties.getPvoGroups().contains(group)) {
+            return AppRole.PERSONVERNOMBUD;
+        }
         // for future - add team -> system roles here
         return null;
     }
diff --git a/apps/backend/src/main/java/no/nav/data/common/security/SecurityProperties.java b/apps/backend/src/main/java/no/nav/data/common/security/SecurityProperties.java
index 4f45c57cc..ac4722913 100644
--- a/apps/backend/src/main/java/no/nav/data/common/security/SecurityProperties.java
+++ b/apps/backend/src/main/java/no/nav/data/common/security/SecurityProperties.java
@@ -21,6 +21,7 @@ public class SecurityProperties {
     private List<String> writeGroups;
     private List<String> adminGroups;
     private List<String> kraveierGroups;
+    private List<String> pvoGroups;
     private List<String> redirectUris;
     private String env;
     private List<String> devEmailAllowList;
diff --git a/apps/backend/src/main/java/no/nav/data/common/security/SecurityUtils.java b/apps/backend/src/main/java/no/nav/data/common/security/SecurityUtils.java
index 8ed1eed34..59c2f6531 100644
--- a/apps/backend/src/main/java/no/nav/data/common/security/SecurityUtils.java
+++ b/apps/backend/src/main/java/no/nav/data/common/security/SecurityUtils.java
@@ -34,6 +34,10 @@ public static boolean isKravEier() {
         return getCurrentUser().map(UserInfo::isKravEier).orElse(false);
     }
 
+    public  static boolean isPersonvernombud() {
+        return getCurrentUser().map(UserInfo::isPersonvernombud).orElse(false);
+    }
+
     public static boolean isUserOrAdmin(String ident) {
         return getCurrentIdent().equals(ident) || isAdmin();
     }
diff --git a/apps/backend/src/main/java/no/nav/data/common/security/azure/AzureUserInfo.java b/apps/backend/src/main/java/no/nav/data/common/security/azure/AzureUserInfo.java
index 2b493858d..66a1be73d 100644
--- a/apps/backend/src/main/java/no/nav/data/common/security/azure/AzureUserInfo.java
+++ b/apps/backend/src/main/java/no/nav/data/common/security/azure/AzureUserInfo.java
@@ -86,6 +86,11 @@ public boolean isKravEier() {
         return groups.contains(AppRole.KRAVEIER.name()) || isAdmin();
     }
 
+    @Override
+    public boolean isPersonvernombud() {
+        return groups.contains(AppRole.PERSONVERNOMBUD.name()) || isAdmin();
+    }
+
     public UserInfoResponse toResponse() {
         return UserInfoResponse.builder()
                 .loggedIn(true)
diff --git a/apps/backend/src/main/java/no/nav/data/common/security/dto/AppRole.java b/apps/backend/src/main/java/no/nav/data/common/security/dto/AppRole.java
index 164fde12a..122a85307 100644
--- a/apps/backend/src/main/java/no/nav/data/common/security/dto/AppRole.java
+++ b/apps/backend/src/main/java/no/nav/data/common/security/dto/AppRole.java
@@ -7,7 +7,8 @@ public enum AppRole {
     READ,
     WRITE,
     ADMIN,
-    KRAVEIER;
+    KRAVEIER,
+    PERSONVERNOMBUD;
 
     public static final String ROLE_PREFIX = "ROLE_";
 
diff --git a/apps/backend/src/main/java/no/nav/data/common/security/dto/UserInfo.java b/apps/backend/src/main/java/no/nav/data/common/security/dto/UserInfo.java
index e640af53d..9175f4c57 100644
--- a/apps/backend/src/main/java/no/nav/data/common/security/dto/UserInfo.java
+++ b/apps/backend/src/main/java/no/nav/data/common/security/dto/UserInfo.java
@@ -24,5 +24,7 @@ public interface UserInfo {
 
     boolean isKravEier();
 
+    boolean isPersonvernombud();
+
     UserInfoResponse toResponse();
 }
diff --git a/apps/backend/src/main/resources/application-local.yml b/apps/backend/src/main/resources/application-local.yml
index 20bf57f2a..2092b1aa6 100644
--- a/apps/backend/src/main/resources/application-local.yml
+++ b/apps/backend/src/main/resources/application-local.yml
@@ -30,3 +30,4 @@ AZURE_APP_CLIENT_SECRET: secret
 AZURE_CLIENT_GROUPS_ADMIN: bf05a29f-6f80-4da1-b419-22c802fd41e7
 AZURE_CLIENT_GROUPS: 2ee0ef50-718c-43d3-8c05-c839f2dc2490
 AZURE_CLIENT_GROUPS_KRAVEIER: d99d875c-c028-46a4-94bc-a87a633b3eee
+AZURE_CLIENT_GROUPS_PVO: 1e0cb856-a8ba-4294-aab3-8162e3ebe1ea
diff --git a/apps/backend/src/main/resources/application.yml b/apps/backend/src/main/resources/application.yml
index fa700387a..959806ed6 100644
--- a/apps/backend/src/main/resources/application.yml
+++ b/apps/backend/src/main/resources/application.yml
@@ -92,6 +92,7 @@ etterlev:
     enc-key: ${AZURE_TOKEN_ENC_KEY:tokenkey}
     env: ${NAIS_CLUSTER_NAME:local}
     kraveier-groups: ${AZURE_CLIENT_GROUPS_KRAVEIER:teamdatajegerne}
+    pvo-groups: ${AZURE_CLIENT_GROUPS_PVO:teamdatajegerne}
     redirectUris: http://localhost:3000
     write-groups: ${AZURE_CLIENT_GROUPS:teamdatajegerne}