test token request from within app

Author: martinothamar

src/Runtime/operator/config/local-minimal/localtestapp.yaml

@@ -43,12 +43,12 @@ spec:
     ingressRoute:
       name: localtestapp-ingress
       entryPoints:
-        - web
+        - traefik
       routes:
-        - match: PathPrefix(`/localtestapp`)
+        - match: PathPrefix(`/ttd/localtestapp`)
           kind: Rule
           services:
-            - name: localtestapp
+            - name: ttd-localtestapp-deployment
               port: 80
     resources:
       requests:

src/Runtime/operator/internal/maskinporten/http_api_client.go

@@ -174,6 +174,15 @@ func (c *HttpApiClient) GetAllClients(ctx context.Context) ([]ClientResponse, er
 
 	result := make([]ClientResponse, 0, 16)
 	for _, cl := range dtos {
+		if cl.ClientId == "" {
+			return nil, fmt.Errorf("found client with empty ID")
+		}
+		if c.context.ServiceOwnerId == "digdir" && cl.ClientId == c.getConfig().ClientId {
+			// If this operator is running as digdir, the supplier client is also defined there
+			// so we need to skip it (we should never change or process the supplier client from here)
+			// TODO: unless we want to rotate JWKS automatically from the operator? o_O
+			continue
+		}
 		if cl.ClientName == nil {
 			return nil, fmt.Errorf("client with ID %s has no name", cl.ClientId)
 		}

src/Runtime/operator/test/app/App/App.csproj

@@ -8,5 +8,7 @@
 
   <ItemGroup>
     <PackageReference Include="Swashbuckle.AspNetCore" Version="6.5.0" />
+    <PackageReference Include="Microsoft.IdentityModel.Tokens" Version="8.0.1" />
+    <PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="8.0.1" />
   </ItemGroup>
 </Project>

src/Runtime/operator/test/app/App/Program.cs

@@ -1,11 +1,216 @@
-using App;
-
-var builder = WebApplication.CreateBuilder(args);
-
-builder.Services.AddHostedService<Worker>();
-
-var app = builder.Build();
-
-app.MapGet("/health", () => TypedResults.Ok());
-
-app.Run();
+using System.IdentityModel.Tokens.Jwt;
+using System.Net.Http.Headers;
+using System.Security.Claims;
+using System.Security.Cryptography;
+using System.Text;
+using System.Text.Json;
+using System.Text.Json.Serialization;
+using App;
+using Microsoft.IdentityModel.Tokens;
+
+var builder = WebApplication.CreateBuilder(args);
+
+builder.Services.AddHostedService<Worker>();
+builder.Services.AddHttpClient();
+
+var app = builder.Build();
+
+app.MapGet("/health", () => TypedResults.Ok());
+
+app.MapGet("/ttd/localtestapp/token", async (HttpContext context, IHttpClientFactory httpClientFactory, ILoggerFactory loggerFactory) =>
+{
+    var logger = loggerFactory.CreateLogger("App");
+    logger.LogInformation("Received token request with scope: {scope}", context.Request.Query["scope"].ToString());
+
+    var scope = context.Request.Query["scope"].ToString();
+    if (string.IsNullOrEmpty(scope))
+    {
+        return Results.Json(new { success = false, error = "Missing 'scope' query parameter" });
+    }
+
+    try
+    {
+        // Read the maskinporten-settings.json from mounted secret
+        const string secretPath = "/mnt/app-secrets/maskinporten-settings.json";
+        if (!File.Exists(secretPath))
+        {
+            return Results.Json(new { success = false, error = $"Secret file not found at {secretPath}" });
+        }
+
+        var settingsJson = await File.ReadAllTextAsync(secretPath);
+        var settings = JsonSerializer.Deserialize<MaskinportenSettings>(settingsJson);
+        if (settings == null)
+        {
+            return Results.Json(new { success = false, error = "Failed to deserialize settings" });
+        }
+
+        if (string.IsNullOrEmpty(settings.ClientId))
+        {
+            return Results.Json(new { success = false, error = "ClientId is empty in settings" });
+        }
+
+        if (settings.Jwk == null)
+        {
+            return Results.Json(new { success = false, error = "JWK is null in settings" });
+        }
+
+        // Create RSA key from JWK
+        var rsa = RSA.Create();
+        var rsaParams = new RSAParameters
+        {
+            Modulus = Base64UrlDecode(settings.Jwk.N),
+            Exponent = Base64UrlDecode(settings.Jwk.E),
+            D = Base64UrlDecode(settings.Jwk.D),
+            P = Base64UrlDecode(settings.Jwk.P),
+            Q = Base64UrlDecode(settings.Jwk.Q),
+            DP = Base64UrlDecode(settings.Jwk.Dp),
+            DQ = Base64UrlDecode(settings.Jwk.Dq),
+            InverseQ = Base64UrlDecode(settings.Jwk.Qi)
+        };
+        rsa.ImportParameters(rsaParams);
+
+        var securityKey = new RsaSecurityKey(rsa) { KeyId = settings.Jwk.Kid };
+        var credentials = new SigningCredentials(securityKey, SecurityAlgorithms.RsaSha256);
+
+        // Create JWT assertion
+        var now = DateTime.UtcNow;
+        var claims = new[]
+        {
+            new Claim("scope", scope),
+            new Claim(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString())
+        };
+
+        var tokenDescriptor = new SecurityTokenDescriptor
+        {
+            Subject = new ClaimsIdentity(claims),
+            Issuer = settings.ClientId,
+            Audience = settings.Authority,
+            Expires = now.AddSeconds(60),
+            IssuedAt = now,
+            NotBefore = now,
+            SigningCredentials = credentials
+        };
+
+        var tokenHandler = new JwtSecurityTokenHandler();
+        var jwtToken = tokenHandler.CreateToken(tokenDescriptor);
+        var assertion = tokenHandler.WriteToken(jwtToken);
+
+        // Call the Maskinporten token endpoint
+        var httpClient = httpClientFactory.CreateClient();
+        var tokenUrl = $"http://fakes.runtime-operator.svc.cluster.local:8050/token?grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&assertion={Uri.EscapeDataString(assertion)}";
+
+        var response = await httpClient.PostAsync(tokenUrl, null);
+        var responseContent = await response.Content.ReadAsStringAsync();
+
+        if (!response.IsSuccessStatusCode)
+        {
+            return Results.Json(new { success = false, error = $"Token endpoint returned {response.StatusCode}: {responseContent}" });
+        }
+
+        var tokenResponse = JsonSerializer.Deserialize<TokenResponse>(responseContent);
+        if (tokenResponse == null || string.IsNullOrEmpty(tokenResponse.AccessToken))
+        {
+            return Results.Json(new { success = false, error = "Failed to parse token response" });
+        }
+
+        // Decode the access token (it's base64-encoded JSON in the fake)
+        var decodedToken = Encoding.UTF8.GetString(Convert.FromBase64String(tokenResponse.AccessToken));
+        var tokenClaims = JsonSerializer.Deserialize<FakeTokenClaims>(decodedToken);
+
+        return Results.Json(new
+        {
+            success = true,
+            claims = tokenClaims
+        });
+    }
+    catch (Exception ex)
+    {
+        return Results.Json(new { success = false, error = ex.Message });
+    }
+});
+
+app.Run();
+
+static byte[] Base64UrlDecode(string? input)
+{
+    if (string.IsNullOrEmpty(input))
+        return Array.Empty<byte>();
+
+    // Convert base64url to base64
+    var base64 = input.Replace('-', '+').Replace('_', '/');
+    switch (base64.Length % 4)
+    {
+        case 2: base64 += "=="; break;
+        case 3: base64 += "="; break;
+    }
+    return Convert.FromBase64String(base64);
+}
+
+public class MaskinportenSettings
+{
+    [JsonPropertyName("clientId")]
+    public string? ClientId { get; set; }
+
+    [JsonPropertyName("authority")]
+    public string? Authority { get; set; }
+
+    [JsonPropertyName("jwk")]
+    public JwkKey? Jwk { get; set; }
+}
+
+public class JwkKey
+{
+    [JsonPropertyName("kty")]
+    public string? Kty { get; set; }
+
+    [JsonPropertyName("kid")]
+    public string? Kid { get; set; }
+
+    [JsonPropertyName("n")]
+    public string? N { get; set; }
+
+    [JsonPropertyName("e")]
+    public string? E { get; set; }
+
+    [JsonPropertyName("d")]
+    public string? D { get; set; }
+
+    [JsonPropertyName("p")]
+    public string? P { get; set; }
+
+    [JsonPropertyName("q")]
+    public string? Q { get; set; }
+
+    [JsonPropertyName("dp")]
+    public string? Dp { get; set; }
+
+    [JsonPropertyName("dq")]
+    public string? Dq { get; set; }
+
+    [JsonPropertyName("qi")]
+    public string? Qi { get; set; }
+}
+
+public class TokenResponse
+{
+    [JsonPropertyName("access_token")]
+    public string? AccessToken { get; set; }
+
+    [JsonPropertyName("token_type")]
+    public string? TokenType { get; set; }
+
+    [JsonPropertyName("scope")]
+    public string? Scope { get; set; }
+
+    [JsonPropertyName("expires_in")]
+    public int ExpiresIn { get; set; }
+}
+
+public class FakeTokenClaims
+{
+    [JsonPropertyName("scopes")]
+    public string[]? Scopes { get; set; }
+
+    [JsonPropertyName("client_id")]
+    public string? ClientId { get; set; }
+}

src/Runtime/operator/test/app/App/Worker.cs

@@ -1,23 +1,23 @@
-namespace App;
-
-public class Worker : BackgroundService
-{
-    private readonly ILogger<Worker> _logger;
-
-    public Worker(ILogger<Worker> logger)
-    {
-        _logger = logger;
-    }
-
-    protected override async Task ExecuteAsync(CancellationToken stoppingToken)
-    {
-        while (!stoppingToken.IsCancellationRequested)
-        {
-            if (_logger.IsEnabled(LogLevel.Information))
-            {
-                _logger.LogInformation("Worker running at: {time}", DateTimeOffset.Now);
-            }
-            await Task.Delay(1000, stoppingToken);
-        }
-    }
-}
+namespace App;
+
+public class Worker : BackgroundService
+{
+    private readonly ILogger<Worker> _logger;
+
+    public Worker(ILogger<Worker> logger)
+    {
+        _logger = logger;
+    }
+
+    protected override async Task ExecuteAsync(CancellationToken stoppingToken)
+    {
+        while (!stoppingToken.IsCancellationRequested)
+        {
+            if (_logger.IsEnabled(LogLevel.Information))
+            {
+                _logger.LogInformation("Worker running at: {time}", DateTimeOffset.Now);
+            }
+            await Task.Delay(60_000, stoppingToken);
+        }
+    }
+}

src/Runtime/operator/test/app/App/appsettings.json

@@ -8,8 +8,9 @@
   },
   "Logging": {
     "LogLevel": {
-      "Default": "Information",
-      "Microsoft.Hosting.Lifetime": "Information"
+      "Default": "Warning",
+      "Microsoft.Hosting.Lifetime": "Information",
+      "App": "Information"
     }
   }
 }

src/Runtime/operator/test/e2e/__snapshots__/step1b-token.snap

@@ -0,0 +1,12 @@
+
+[controller Operator should generate token using reconciled credentials - 1]
+{
+ "claims": {
+  "client_id": "<sanitized-client-id>",
+  "scopes": [
+   "altinn:serviceowner/instances.read"
+  ]
+ },
+ "success": true
+}
+---

src/Runtime/operator/test/e2e/e2e_test.go

@@ -246,6 +246,36 @@ var _ = Describe("controller", Ordered, func() {
 				time.Second,
 				"step1-reconciled",
 			)
+
+			By("triggering pod secret volume sync")
+			err = TriggerPodSecretSync(k8sClient, clientNamespace, "ttd-localtestapp-deployment")
+			Expect(err).NotTo(HaveOccurred())
+		})
+
+		It("should generate token using reconciled credentials", func() {
+			By("calling testapp token endpoint")
+			var tokenResp *TokenResponse
+			Eventually(func() error {
+				resp, err := FetchToken("altinn:serviceowner/instances.read")
+				if err != nil {
+					fmt.Fprintf(GinkgoWriter, "FetchToken error: %v\n", err)
+					return err
+				}
+				if !resp.Success {
+					fmt.Fprintf(GinkgoWriter, "Token request failed: %s\n", resp.Error)
+					return fmt.Errorf("token request failed: %s", resp.Error)
+				}
+				fmt.Fprintf(GinkgoWriter, "Token request succeeded, clientId: %s, scopes: %v\n", resp.Claims.ClientId, resp.Claims.Scopes)
+				tokenResp = resp
+				return nil
+			}, time.Second*10, time.Second).Should(Succeed())
+
+			By("verifying token claims")
+			Expect(tokenResp.Claims).NotTo(BeNil())
+			Expect(tokenResp.Claims.Scopes).To(ContainElement("altinn:serviceowner/instances.read"))
+
+			By("snapshotting token response")
+			SnapshotTokenResponse(tokenResp, "step1b-token")
 		})
 
 		It("should handle scope removal", func() {
@@ -284,6 +314,10 @@ var _ = Describe("controller", Ordered, func() {
 				time.Second,
 				"step2-scope-removed",
 			)
+
+			By("triggering pod secret volume sync")
+			err = TriggerPodSecretSync(k8sClient, clientNamespace, "ttd-localtestapp-deployment")
+			Expect(err).NotTo(HaveOccurred())
 		})
 
 		It("should clean up on deletion", func() {