Active group added to Authentication (#438)

* Add vardef to allowed audiences

* Add active group to Authentication

* Formatting

* Remove audiences from nais files

---------

Co-authored-by: Jorgen-5 <rlj@ssb.no>

Author: Jorgen-5

src/main/kotlin/no/ssb/metadata/vardef/controllers/internalapi/VariableDefinitionsController.kt

@@ -149,8 +149,7 @@ class VariableDefinitionsController(
         }
 
         val resolvedActiveGroup =
-            activeGroup?.takeUnless { it == "null" }
-                ?: authentication.attributes[LABID_ACTIVE_GROUP] as? String
+            (authentication.attributes[ACTIVE_GROUP] as? String)
                 ?: throw HttpStatusException(
                     HttpStatus.BAD_REQUEST,
                     "No active_group provided",

src/main/kotlin/no/ssb/metadata/vardef/security/VardefLabidTokenValidator.kt

@@ -9,6 +9,7 @@ import io.micronaut.security.token.Claims
 import io.micronaut.security.token.jwt.validator.JsonWebTokenParser
 import io.micronaut.security.token.jwt.validator.ReactiveJsonWebTokenValidator
 import jakarta.inject.Inject
+import no.ssb.metadata.vardef.constants.LABID_ACTIVE_GROUP
 import no.ssb.metadata.vardef.constants.SSB_EMAIL
 import no.ssb.metadata.vardef.exceptions.InvalidActiveGroupException
 import no.ssb.metadata.vardef.integrations.dapla.services.DaplaTeamService
@@ -134,7 +135,7 @@ class VardefLabidTokenValidator<R : HttpRequest<*>> : ReactiveJsonWebTokenValida
      *
      * @param token
      * @param request
-     * @return an [Authentication] containing the principals username and the assigned roles.
+     * @return an [Authentication] containing the principals username, the assigned roles, the claims, and the active group.
      */
     override fun validateToken(
         token: String?,
@@ -150,10 +151,12 @@ class VardefLabidTokenValidator<R : HttpRequest<*>> : ReactiveJsonWebTokenValida
             }.map {
                 val username = usernameFromToken(it)
                 logger.info("Validated LabID token for user=$username")
+                val attributes = it.jwtClaimsSet.claims.toMutableMap()
+                attributes["active_group"] = it.jwtClaimsSet.getStringClaim(LABID_ACTIVE_GROUP)
                 Authentication.build(
                     username,
                     assignRoles(it, request),
-                    it.jwtClaimsSet.claims,
+                    attributes,
                 )
             }
     }

src/main/kotlin/no/ssb/metadata/vardef/security/VardefTokenValidator.kt

@@ -123,7 +123,7 @@ class VardefTokenValidator<R : HttpRequest<*>> : ReactiveJsonWebTokenValidator<J
      *
      * @param token
      * @param request
-     * @return an [Authentication] containing the principals username and the assigned roles.
+     * @return an [Authentication] containing the principals username, the assigned roles, the claims, and the active group.
      */
     override fun validateToken(
         token: String?,
@@ -137,10 +137,12 @@ class VardefTokenValidator<R : HttpRequest<*>> : ReactiveJsonWebTokenValidator<J
             .filter {
                 it.jwtClaimsSet.getStringClaim(issuerClaim) in allowedIssuers
             }.map {
+                val attributes = it.jwtClaimsSet.claims.toMutableMap()
+                attributes["active_group"] = request.parameters.get(ACTIVE_GROUP)
                 Authentication.build(
                     it.jwtClaimsSet.getStringClaim(usernameClaim),
                     assignRoles(it, request),
-                    it.jwtClaimsSet.claims,
+                    attributes,
                 )
             }
     }

src/main/resources/application-naisprod.yml

@@ -1,13 +1,4 @@
 micronaut:
-  security:
-    token:
-      jwt:
-        claims:
-          values:
-            allowed-audiences:
-              - dapla-cli
-              - onyxia-api
-              - vardef
   http:
     services:
       dapla-team-api:

src/main/resources/application-naistest.yml

@@ -1,13 +1,4 @@
 micronaut:
-  security:
-    token:
-      jwt:
-        claims:
-          values:
-            allowed-audiences:
-              - dapla-cli
-              - onyxia-api
-              - vardef
   http:
     services:
       dapla-team-api: