Secret provider (#1706)

* feat: add provider and generator

* feat: add signed jwt to callback url

* feat: add validator

* chore: format

* test: update existing

* test: snapshots and updates

* feat: add services to DI

* temp: logging

* fix path and add temp logging

* refactor: log cleanup

* feat: read app codes

* refactor: remove aync from sync methods

* feat: add namespace to appcodesettings

* refactor: pr feedback

* di: fix using

* di: simplify options registration and usage, consolidate with existing

* feat: instrument generator and validator

* test: make test stricter

* refactor: rename file

* refactor: make room for more in AppCodesSettings

* feat: metadata app codes

Author: HauklandJ

src/Altinn.App.Api/Controllers/NotificationCallbackController.cs

@@ -1,6 +1,7 @@
 using System.Text.Json.Serialization;
 using Altinn.App.Core.Features;
 using Altinn.App.Core.Features.Notifications.Cancellation;
+using Altinn.App.Core.Features.Notifications.SecretProvider;
 using Altinn.App.Core.Internal.Instances;
 using Altinn.Platform.Storage.Interface.Models;
 using Microsoft.AspNetCore.Authorization;
@@ -18,28 +19,34 @@ namespace Altinn.App.Api.Controllers;
 public class NotificationCallbackController(
     ILogger<NotificationCallbackController> logger,
     ICancelInstantiationNotification instantiationNotification,
+    INotificationConditionCodeValidator validator,
     IInstanceClient instanceClient
-)
+) : ControllerBase
 {
     /// <summary>
     /// Callback endpoint to check whether remaining notifications on application instantiation should be sent or not
     /// </summary>
     /// <returns><see cref="NotificationCallbackResponse"/></returns>
     [HttpGet("{instanceOwnerPartyId:int}/{instanceGuid:guid}")]
+    [ProducesResponseType(typeof(NotificationCallbackResponse), StatusCodes.Status200OK)]
+    [ProducesResponseType(StatusCodes.Status401Unauthorized)]
     public async Task<ActionResult<NotificationCallbackResponse>> NotificationCallback(
         [FromRoute] string org,
         [FromRoute] string app,
         [FromRoute] int instanceOwnerPartyId,
-        [FromRoute] Guid instanceGuid
+        [FromRoute] Guid instanceGuid,
+        [FromQuery] string? code
     )
     {
-        logger.LogInformation(
-            "Received callback for org:{Org}, app:{App}, instanceOwnerPartyId:{InstanceOwnerPartyId}, instanceGuid:{InstanceGuid}.",
-            org,
-            app,
-            instanceOwnerPartyId,
-            instanceGuid
-        );
+        bool isValid = await validator.ValidateCode(code, instanceGuid);
+        if (isValid is false)
+        {
+            logger.LogWarning(
+                "Notification callback rejected: invalid or missing code for instance {InstanceGuid}.",
+                instanceGuid
+            );
+            return Unauthorized();
+        }
 
         Instance? instance = null;
         try

src/Altinn.App.Core/Extensions/ServiceCollectionExtensions.cs

@@ -11,6 +11,7 @@
 using Altinn.App.Core.Features.Notifications.Cancellation;
 using Altinn.App.Core.Features.Notifications.Email;
 using Altinn.App.Core.Features.Notifications.Future;
+using Altinn.App.Core.Features.Notifications.SecretProvider;
 using Altinn.App.Core.Features.Notifications.Sms;
 using Altinn.App.Core.Features.Options;
 using Altinn.App.Core.Features.Options.Altinn3LibraryCodeList;
@@ -33,6 +34,7 @@
 using Altinn.App.Core.Infrastructure.Clients.Pdf;
 using Altinn.App.Core.Infrastructure.Clients.Profile;
 using Altinn.App.Core.Infrastructure.Clients.Register;
+using Altinn.App.Core.Infrastructure.Clients.Secrets;
 using Altinn.App.Core.Infrastructure.Clients.Storage;
 using Altinn.App.Core.Internal;
 using Altinn.App.Core.Internal.AltinnCdn;
@@ -100,6 +102,7 @@ IWebHostEnvironment env
         services.Configure<GeneralSettings>(configuration.GetSection("GeneralSettings"));
         services.Configure<PlatformSettings>(configuration.GetSection("PlatformSettings"));
         services.Configure<CacheSettings>(configuration.GetSection("CacheSettings"));
+        services.Configure<AppCodesSettings>(configuration.GetSection("AppCodes"));
 
         AddApplicationIdentifier(services);
 
@@ -285,6 +288,9 @@ private static void AddNotificationServices(IServiceCollection services)
         services.AddHttpClient<INotificationOrderClient, NotificationOrderClient>();
         services.TryAddTransient<INotificationService, NotificationService>();
         services.TryAddTransient<ICancelInstantiationNotification, SendOnProcessNotEnded>();
+        services.TryAddSingleton<INotificationConditionSecretProvider, NotificationConditionSecretProvider>();
+        services.TryAddSingleton<INotificationConditionTokenGenerator, NotificationConditionTokenGenerator>();
+        services.TryAddSingleton<INotificationConditionCodeValidator, NotificationConditionCodeValidator>();
     }
 
     private static void AddPdfServices(IServiceCollection services)

src/Altinn.App.Core/Features/Notifications/Exceptions/NotificationConditionSecretNotFoundException.cs

@@ -0,0 +1,9 @@
+using Altinn.App.Core.Exceptions;
+
+namespace Altinn.App.Core.Features.Notifications.Exceptions;
+
+internal class NotificationConditionSecretNotFoundException : AltinnException
+{
+    public NotificationConditionSecretNotFoundException(string message)
+        : base(message) { }
+}

src/Altinn.App.Core/Features/Notifications/NotificationService.cs

@@ -1,4 +1,5 @@
 using Altinn.App.Core.Configuration;
+using Altinn.App.Core.Features.Notifications.SecretProvider;
 using Altinn.App.Core.Features.Notifications.Texts;
 using Altinn.App.Core.Internal.AltinnCdn;
 using Altinn.App.Core.Internal.App;
@@ -18,6 +19,7 @@ namespace Altinn.App.Core.Features.Notifications;
 internal sealed class NotificationService : INotificationService
 {
     private readonly INotificationOrderClient _notificationOrderClient;
+    private readonly INotificationConditionTokenGenerator _tokenGenerator;
     private readonly IProfileClient _profileClient;
     private readonly IAltinnCdnClient _cdnClient;
     private readonly IAppMetadata _appMetadata;
@@ -27,6 +29,7 @@ internal sealed class NotificationService : INotificationService
 
     public NotificationService(
         INotificationOrderClient notificationOrderClient,
+        INotificationConditionTokenGenerator tokenGenerator,
         IProfileClient profileClient,
         IAltinnCdnClient cdnClient,
         IAppMetadata appMetadata,
@@ -36,6 +39,7 @@ ILogger<NotificationService> logger
     )
     {
         _notificationOrderClient = notificationOrderClient;
+        _tokenGenerator = tokenGenerator;
         _profileClient = profileClient;
         _cdnClient = cdnClient;
         _appMetadata = appMetadata;
@@ -57,6 +61,7 @@ CancellationToken ct
         AltinnCdnOrgName? serviceOwnerName = await _cdnClient.GetOrgNameByAppId(instance.AppId, ct);
         ApplicationMetadata? appMetadata = await _appMetadata.GetApplicationMetadata();
         string baseUrl = _generalSettings.FormattedExternalAppBaseUrl(new AppIdentifier(instance.AppId));
+        Uri callBackUri = CallbackUrlWithAuth(instance, baseUrl);
 
         NotificationOrderRequest orderRequest = CreateNotificationOrderRequest(
             language,
@@ -65,15 +70,21 @@ CancellationToken ct
             party.Name,
             serviceOwnerName,
             instantiationNotification,
-            baseUrl
+            callBackUri
         );
 
+        NotificationOrderResponse orderResponse = await _notificationOrderClient.Order(orderRequest, ct);
+
         _logger.LogInformation(
-            "Sending notification order with reference: {SendersReference}",
-            orderRequest.SendersReference
+            "Notification order created. OrderId: {OrderId}, ShipmentId: {ShipmentId}, Reference: {SendersReference}, ReminderCount: {ReminderCount}, ReminderShipmentIds: {ReminderShipmentIds}",
+            orderResponse.OrderChainId,
+            orderResponse.Notification.ShipmentId,
+            orderRequest.SendersReference,
+            orderRequest.Reminders?.Count ?? 0,
+            orderResponse.Reminders.Count > 0
+                ? string.Join(", ", orderResponse.Reminders.Select(r => r.ShipmentId))
+                : "none"
         );
-
-        await _notificationOrderClient.Order(orderRequest, ct);
     }
 
     internal static NotificationOrderRequest CreateNotificationOrderRequest(
@@ -83,7 +94,7 @@ internal static NotificationOrderRequest CreateNotificationOrderRequest(
         string? instanceOwnerName,
         AltinnCdnOrgName? serviceOwnerName,
         InstantiationNotification instantiationNotification,
-        string? callBackBaseUrl
+        Uri conditionEndpoint
     )
     {
         InstanceOwner instanceOwner = instance.InstanceOwner;
@@ -163,14 +174,6 @@ internal static NotificationOrderRequest CreateNotificationOrderRequest(
         string sendersReference = "app-" + instance.Id;
         string idempotencyId = instance.Id + "-init";
 
-        Uri? conditionEndpoint = null;
-        if (instantiationNotification.RequestedSendTime is not null)
-        {
-            conditionEndpoint = new Uri(
-                callBackBaseUrl?.TrimEnd('/') + "/api/v1/notification-webhook-listener/" + instance.Id
-            );
-        }
-
         if (string.IsNullOrWhiteSpace(instanceOwner.OrganisationNumber) is false)
         {
             NotificationRecipient recipient = new()
@@ -272,6 +275,17 @@ internal static NotificationOrderRequest CreateNotificationOrderRequest(
         );
     }
 
+    internal Uri CallbackUrlWithAuth(Instance instance, string callBackBaseUrl)
+    {
+        InstanceIdentifier instanceIdentifier = new(instance.Id);
+        string token = _tokenGenerator.GenerateToken(instanceIdentifier.InstanceGuid);
+
+        var uriBuilder = new UriBuilder(callBackBaseUrl.TrimEnd('/'));
+        uriBuilder.Path = uriBuilder.Path.TrimEnd('/') + $"/api/v1/notification-webhook-listener/{instance.Id}";
+        uriBuilder.Query = $"code={Uri.EscapeDataString(token)}";
+        return uriBuilder.Uri;
+    }
+
     private static List<NotificationReminder>? BuildReminders(
         string language,
         NotificationRecipient requestedRecipient,

src/Altinn.App.Core/Features/Notifications/SecretProvider/NotificationConditionCodeValidator.cs

@@ -0,0 +1,127 @@
+using System.Diagnostics;
+using System.Text;
+using Altinn.App.Core.Features.Notifications.Exceptions;
+using Altinn.App.Core.Infrastructure.Clients.Secrets;
+using Microsoft.Extensions.Logging;
+using Microsoft.IdentityModel.JsonWebTokens;
+using Microsoft.IdentityModel.Tokens;
+
+namespace Altinn.App.Core.Features.Notifications.SecretProvider;
+
+/// <summary>
+/// Validates JWT codes used for notification condition endpoints.
+/// </summary>
+public interface INotificationConditionCodeValidator
+{
+    /// <summary>
+    /// Validates that the provided code is a valid JWT signed with the notification condition secret,
+    /// and that it was issued for the specified instance.
+    /// </summary>
+    Task<bool> ValidateCode(string? code, Guid instanceGuid, Telemetry? telemetry = null);
+}
+
+/// <inheritdoc />
+internal sealed class NotificationConditionCodeValidator(
+    INotificationConditionSecretProvider secretProvider,
+    ILogger<NotificationConditionCodeValidator> logger
+) : INotificationConditionCodeValidator
+{
+    public async Task<bool> ValidateCode(string? code, Guid instanceGuid, Telemetry? telemetry = null)
+    {
+        using var activity = telemetry?.StartNotificationConditionValidateActivity(instanceGuid);
+
+        if (string.IsNullOrWhiteSpace(code))
+        {
+            logger.LogWarning("Notification condition code validation failed: no code provided.");
+            return false;
+        }
+
+        IReadOnlyList<AppCode> secrets;
+        try
+        {
+            secrets = secretProvider.GetValidationSecrets();
+        }
+        catch (NotificationConditionSecretNotFoundException ex)
+        {
+            logger.LogWarning(ex, "Notification condition code validation failed - secrets not found.");
+            activity?.SetStatus(
+                ActivityStatusCode.Error,
+                "Notification condition code validation failed - secrets not found."
+            );
+            return false;
+        }
+
+        JsonWebTokenHandler handler = new();
+
+        // Read secret_id from token without validation to find the right secret
+        JsonWebToken jwt;
+        try
+        {
+            jwt = handler.ReadJsonWebToken(code);
+        }
+        catch (Exception ex)
+        {
+            logger.LogWarning(ex, "Notification condition code validation failed: could not read token.");
+            activity?.SetStatus(ActivityStatusCode.Error, "Could not read token.");
+            return false;
+        }
+
+        string? secretId = jwt.GetClaim("secret_id")?.Value;
+        AppCode? appCode = secretId is not null
+            ? secrets.FirstOrDefault(s => s.Id == secretId)
+            : secrets.FirstOrDefault();
+
+        if (appCode is null)
+        {
+            logger.LogWarning(
+                "Notification condition code validation failed: no secret found for secret_id {SecretId} for instance {InstanceGuid}.",
+                secretId,
+                instanceGuid
+            );
+            activity?.SetStatus(ActivityStatusCode.Error, "No secret found for token secret_id.");
+            return false;
+        }
+
+        SymmetricSecurityKey key = new(Encoding.UTF8.GetBytes(appCode.Code));
+        TokenValidationResult result = await handler.ValidateTokenAsync(
+            code,
+            new TokenValidationParameters
+            {
+                ValidateIssuerSigningKey = true,
+                IssuerSigningKey = key,
+                ValidateIssuer = false,
+                ValidateAudience = false,
+                ValidateLifetime = true,
+                ClockSkew = TimeSpan.FromMinutes(5),
+            }
+        );
+
+        if (!result.IsValid)
+        {
+            logger.LogWarning(
+                "Notification condition code validation failed: token is invalid for instance {InstanceGuid}. Reason: {Reason}",
+                instanceGuid,
+                result.Exception?.Message
+            );
+            activity?.SetStatus(ActivityStatusCode.Error, "Token validation failed.");
+            return false;
+        }
+
+        bool jtiMatches =
+            result.Claims.TryGetValue(JwtRegisteredClaimNames.Jti, out object? jti)
+            && jti?.ToString() == instanceGuid.ToString();
+
+        if (!jtiMatches)
+        {
+            logger.LogWarning(
+                "Notification condition code validation failed: jti claim {Jti} does not match instanceGuid {InstanceGuid}.",
+                jti,
+                instanceGuid
+            );
+            activity?.SetStatus(ActivityStatusCode.Error, "Token jti did not match instance guid.");
+            return false;
+        }
+
+        return true;
+    }
+}

src/Altinn.App.Core/Features/Notifications/SecretProvider/NotificationConditionSecretProvider.cs

@@ -0,0 +1,47 @@
+using Altinn.App.Core.Features.Notifications.Exceptions;
+using Altinn.App.Core.Infrastructure.Clients.Secrets;
+using Microsoft.Extensions.Options;
+
+namespace Altinn.App.Core.Features.Notifications.SecretProvider;
+
+/// <summary>
+/// Provides a secret used for signing and validating notification condition endpoint JWT tokens.
+/// </summary>
+internal interface INotificationConditionSecretProvider
+{
+    /// <summary>
+    /// Gets the secret used for signing JWT tokens for notification condition endpoints.
+    /// </summary>
+    AppCode GetSigningSecret();
+
+    /// <summary>
+    /// Get the currently available secrets for validation.
+    /// </summary>
+    IReadOnlyList<AppCode> GetValidationSecrets();
+}
+
+/// <inheritdoc />
+internal sealed class NotificationConditionSecretProvider(IOptionsMonitor<AppCodesSettings> options)
+    : INotificationConditionSecretProvider
+{
+    /// <inheritdoc />
+    public AppCode GetSigningSecret()
+    {
+        var codes = options.CurrentValue.NotificationCallback;
+        if (codes is null or { Count: 0 })
+            throw new NotificationConditionSecretNotFoundException(
+                "AppCodes:Monthly is not configured. Ensure the app-codes secret is mounted."
+            );
+        return codes[0];
+    }
+
+    public IReadOnlyList<AppCode> GetValidationSecrets()
+    {
+        var codes = options.CurrentValue.NotificationCallback;
+        if (codes is null or { Count: 0 })
+            throw new NotificationConditionSecretNotFoundException(
+                "AppCodes:Monthly is not configured. Ensure the app-codes secret is mounted."
+            );
+        return codes;
+    }
+}