client interceptor and matcher using OAuth2AccessTokenService (#318)

* client interceptor that exchanges a token using the {@link OAuth2AccessTokenService} and sets Authorization header to this new token
* configuration is retrieved through a configurable matcher implementing `ClientConfigurationPropertiesMatcher`
* if no configuration is found this interceptor is NOOP. Must be registered by the applications themselves,
* no automatic bean registration.

Co-authored-by: Jan-Olav Eide <jan-olav.eide@nav.no>

Author: jan-olaveide

token-client-spring/src/main/java/no/nav/security/token/support/client/spring/oauth2/ClientConfigurationPropertiesMatcher.java

@@ -0,0 +1,22 @@
+package no.nav.security.token.support.client.spring.oauth2;
+
+import java.util.Optional;
+
+import org.springframework.http.HttpRequest;
+
+import no.nav.security.token.support.client.core.ClientProperties;
+import no.nav.security.token.support.client.spring.ClientConfigurationProperties;
+
+/**
+ *
+ * Default implementation that matcher host in request URL with the registration
+ * name. Override for other strategies. Will typically be used with
+ * {@link OAuth2ClientRequestInterceptor}. Must be registered by the
+ * applications themselves, no automatic bean registration
+ *
+ */
+public interface ClientConfigurationPropertiesMatcher {
+    default Optional<ClientProperties> findProperties(ClientConfigurationProperties properties, HttpRequest request) {
+        return Optional.ofNullable(properties.getRegistration().get(request.getURI().getHost()));
+    }
+}

token-client-spring/src/main/java/no/nav/security/token/support/client/spring/oauth2/OAuth2ClientRequestInterceptor.java

@@ -0,0 +1,54 @@
+package no.nav.security.token.support.client.spring.oauth2;
+
+import java.io.IOException;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.http.HttpRequest;
+import org.springframework.http.client.ClientHttpRequestExecution;
+import org.springframework.http.client.ClientHttpRequestInterceptor;
+import org.springframework.http.client.ClientHttpResponse;
+
+import no.nav.security.token.support.client.core.oauth2.OAuth2AccessTokenService;
+import no.nav.security.token.support.client.spring.ClientConfigurationProperties;
+
+/**
+ *
+ * Interceptor that exchanges a token using the {@link OAuth2AccessTokenService}
+ * and sets Authorization header to this new token, where the aud claim is set
+ * to the destination app. The configuration fo this app is retrieved through a
+ * configurable matcher implementing
+ * {@link ClientConfigurationPropertiesMatcher}. If no configuration is found,
+ * this interceptor is NOOP. Must be registered by the applications themselves,
+ * no automatic bean registration.
+ *
+ */
+public class OAuth2ClientRequestInterceptor implements ClientHttpRequestInterceptor {
+
+    private static final Logger LOG = LoggerFactory.getLogger(OAuth2ClientRequestInterceptor.class);
+    private final ClientConfigurationProperties properties;
+    private final OAuth2AccessTokenService service;
+    private final ClientConfigurationPropertiesMatcher matcher;
+
+    public OAuth2ClientRequestInterceptor(ClientConfigurationProperties properties,
+            OAuth2AccessTokenService service, ClientConfigurationPropertiesMatcher matcher) {
+        this.properties = properties;
+        this.service = service;
+        this.matcher = matcher;
+    }
+
+    @Override
+    public ClientHttpResponse intercept(HttpRequest req, byte[] body, ClientHttpRequestExecution execution) throws IOException {
+        matcher.findProperties(properties, req)
+                .ifPresentOrElse(config -> req.getHeaders().setBearerAuth(service.getAccessToken(config).getAccessToken()),
+                        () -> LOG.info("Ingen konfig for {}", req.getURI()));
+
+        return execution.execute(req, body);
+    }
+
+    @Override
+    public String toString() {
+        return getClass().getSimpleName() + " [properties=" + properties + ", service=" + service + ", matcher=" + matcher + "]";
+    }
+
+}

token-client-spring/src/test/java/no/nav/security/token/support/client/spring/oauth2/ClientConfigurationPropertiesTest.java

@@ -1,25 +1,25 @@
 package no.nav.security.token.support.client.spring.oauth2;
 
-import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod;
-import no.nav.security.token.support.client.core.ClientAuthenticationProperties;
-import no.nav.security.token.support.client.core.ClientProperties;
-import no.nav.security.token.support.client.core.oauth2.OnBehalfOfGrantRequest;
-import no.nav.security.token.support.client.spring.ClientConfigurationProperties;
-import no.nav.security.token.support.core.context.TokenValidationContextHolder;
-import org.junit.jupiter.api.BeforeEach;
+import static org.assertj.core.api.Assertions.assertThat;
+
+import java.util.Map;
+
 import org.junit.jupiter.api.Test;
-import org.mockito.MockitoAnnotations;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.autoconfigure.web.client.RestTemplateAutoConfiguration;
 import org.springframework.boot.test.context.SpringBootTest;
 import org.springframework.boot.test.mock.mockito.MockBean;
 import org.springframework.test.context.ActiveProfiles;
 
-import java.util.Map;
+import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod;
 
-import static org.assertj.core.api.Assertions.assertThat;
+import no.nav.security.token.support.client.core.ClientAuthenticationProperties;
+import no.nav.security.token.support.client.core.ClientProperties;
+import no.nav.security.token.support.client.core.oauth2.OnBehalfOfGrantRequest;
+import no.nav.security.token.support.client.spring.ClientConfigurationProperties;
+import no.nav.security.token.support.core.context.TokenValidationContextHolder;
 
-@SpringBootTest(classes = {OAuth2ClientConfiguration.class, RestTemplateAutoConfiguration.class})
+@SpringBootTest(classes = { OAuth2ClientConfiguration.class, RestTemplateAutoConfiguration.class })
 @ActiveProfiles("test")
 class ClientConfigurationPropertiesTest {
 
@@ -29,17 +29,11 @@ class ClientConfigurationPropertiesTest {
     @Autowired
     private ClientConfigurationProperties clientConfigurationProperties;
 
-    @BeforeEach
-    void before() {
-        MockitoAnnotations.initMocks(this);
-    }
-
     @Test
     void testClientConfigIsValid() {
         assertThat(clientConfigurationProperties).isNotNull();
         assertThat(clientConfigurationProperties.getRegistration()).isNotNull();
-        ClientProperties clientProperties =
-            clientConfigurationProperties.getRegistration().values().stream().findFirst().orElse(null);
+        ClientProperties clientProperties = clientConfigurationProperties.getRegistration().values().stream().findFirst().orElse(null);
         assertThat(clientProperties).isNotNull();
         ClientAuthenticationProperties auth = clientProperties.getAuthentication();
         assertThat(auth).isNotNull();
@@ -56,8 +50,7 @@ void testTokenExchangeProperties() {
         assertThat(clientConfigurationProperties).isNotNull();
         assertThat(clientConfigurationProperties.getRegistration()).isNotNull();
         System.out.println(clientConfigurationProperties);
-        ClientProperties clientProperties =
-            clientConfigurationProperties.getRegistration().get("example1-token-exchange1");
+        ClientProperties clientProperties = clientConfigurationProperties.getRegistration().get("example1-token-exchange1");
 
         assertThat(clientProperties).isNotNull();
         assertThat(clientProperties.getTokenExchange().getAudience()).isNotBlank();
@@ -67,8 +60,7 @@ void testTokenExchangeProperties() {
     void testClientConfigWithClientAuthMethodAsPrivateKeyJwt() {
         assertThat(clientConfigurationProperties).isNotNull();
         assertThat(clientConfigurationProperties.getRegistration()).isNotNull();
-        ClientProperties clientProperties =
-            clientConfigurationProperties.getRegistration().get("example1-clientcredentials3");
+        ClientProperties clientProperties = clientConfigurationProperties.getRegistration().get("example1-clientcredentials3");
         assertThat(clientProperties).isNotNull();
         ClientAuthenticationProperties auth = clientProperties.getAuthentication();
         assertThat(auth).isNotNull();