There is a security vulnerability in SSH key-generation using GitKraken < v8.0.1. If you used this tool to create SSH keys, please update GitKraken and regenerate. If you need help with this, contact forum-support@opengroup.org

Commit ead24ea4 authored by harshit aggarwal's avatar harshit aggarwal
Browse files

resolving merge conflicts

parents cf5abd62 235e757a
......@@ -19,6 +19,7 @@ The following software have components provided under the terms of this license:
- Apache Commons Validator (from http://commons.apache.org/proper/commons-validator/)
- Apache HttpAsyncClient (from http://hc.apache.org/httpcomponents-asyncclient)
- Apache HttpClient (from http://hc.apache.org/httpcomponents-client)
- Apache HttpClient Cache (from http://hc.apache.org/httpcomponents-client)
- Apache HttpCore (from http://hc.apache.org/httpcomponents-core-ga)
- Apache HttpCore NIO (from http://hc.apache.org/httpcomponents-core-ga)
- Apache Log4j API (from )
......
......@@ -41,6 +41,8 @@ az keyvault secret show --vault-name $KEY_VAULT_NAME --name $KEY_VAULT_SECRET_NA
| --- | --- | --- | --- | --- |
| `server.servlet.contextPath` | `/entitlements/v1/` | Servlet context path | no | - |
| `service_domain_name` | ex `contoso.com` | The name of the domain for which the service will run | no | -- |
| `partition_service_endpoint` | ex `https://foo-partition.azurewebsites.net` | Partition Service API endpoint | no | output of infrastructure deployment |
| `azure.activedirectory.app-resource-id` | `********` | AAD client application ID | yes | output of infrastructure deployment |
| `aad_client_id` | `********` | AAD client application ID | yes | output of infrastructure deployment |
| `azure.activedirectory.AppIdUri` | `api://${azure.activedirectory.client-id}` | URI for AAD Application | no | -- |
| `cosmosdb_database` | ex `foo-db` | The name of the CosmosDB database | no | output of infrastructure deployment |
......@@ -73,23 +75,23 @@ with these settings service expects "x-payload" header which contains Base64 enc
| name | value | description | sensitive? | source |
| --- | --- | --- | --- | --- |
| `ENTITLEMENT_URL` | ex `http://localhost:8080/` | The host where the service is running | no | -- |
| `DOMAIN` | ex `contoso.com` | Must match the value of `service_domain_name` above | no | -- |
| `MY_TENANT` | ex `opendes` | OSDU tenant used for testing | no | -- |
| `AZURE_AD_TENANT_ID` | `********` | AD tenant to authenticate users from | yes | -- |
| `INTEGRATION_TESTER` | `********` | System identity to assume for API calls. Note: this user must have entitlements configured already | no | -- |
| `ENTITLEMENT_MEMBER_NAME_VALID` | `********` | Secret from `$INTEGRATION_TESTER` for userInfo cosmoscollection partitionId | yes | Create in userInfo cosmosCollection |
| `AZURE_TESTER_SERVICEPRINCIPAL_SECRET` | `********` | Secret for `$INTEGRATION_TESTER` | yes | -- |
| `AZURE_AD_TENANT_ID` | `********` | AD tenant to authenticate users from | yes | -- |
| `AZURE_AD_APP_RESOURCE_ID` | `********` | AAD client application ID | yes | output of infrastructure deployment |
| `AZURE_AD_OTHER_APP_RESOURCE_ID` | `********` | AAD client application ID for another application | yes | -- |
| `AZURE_AD_OTHER_APP_RESOURCE_ID` | ex. `********` | Valid secondary application for Testing | yes | -- |
| `AZURE_AD_OTHER_APP_RESOURCE_OID` | ex. `********` | Valid secondary application for Testing | yes | -- |
| `DOMAIN` | ex `contoso.com` | Must match the value of `service_domain_name` above | no | -- |
| `EXPIRED_TOKEN` | `********` | An expired JWT token | yes | Create one, then wait until it expires |
| `ENTITLEMENT_MEMBER_NAME_INVALID` | ex. `InvalidTestAdmin` | Used for negative testing | no | -- |
| `ENTITLEMENT_MEMBER_NAME_VALID` | `********` | Secret from `$INTEGRATION_TESTER` for userInfo cosmoscollection partitionId | yes | Create in userInfo cosmosCollection |
| `ENTITLEMENT_GROUP_NAME_VALID` | ex. `data.test1` | A group name generated by running integration tests. | no | -- |
| `ENTITLEMENT_MEMBER_NAME_INVALID` | ex. `InvalidTestAdmin` | Used for negative testing | no | -- |
| `AZURE_AD_USER_EMAIL` | ex. `********` | Valid member user email in the AD Tenant for Testing | yes | -- |
| `AZURE_AD_USER_OID` | ex. `********` | Valid member user objectIdin the AD Tenant for Testing | yes | -- |
| `AZURE_AD_GUEST_EMAIL` | ex. `********` | Valid guest user email in the AD Tenant for Testing | yes | -- |
| `AZURE_AD_GUEST_OID` | ex. `********` | Valid guest user objectId in the AD Tenant for Testing | yes | -- |
| `AZURE_AD_OTHER_APP_RESOURCE_ID` | ex. `********` | Valid secondary application for Testing | yes | -- |
| `AZURE_AD_OTHER_APP_RESOURCE_OID` | ex. `********` | Valid secondary application for Testing | yes | -- |
| `AZURE_AD_USER_OID` | ex. `********` | Valid member user objectIdin the AD Tenant for Testing | yes | -- |
| `AZURE_AD_GUEST_EMAIL` | ex. `********` | Valid guest user email in the AD Tenant for Testing | yes | -- |
| `AZURE_AD_GUEST_OID` | ex. `********` | Valid guest user objectId in the AD Tenant for Testing | yes | -- |
| `AZURE_INVALID_EMAIL` | ex. `invalid.test@email.com` | Invalid Email for Testing | no | -- |
| `AZURE_INVALID_APP_ID` | ex. `03015fad-093c-424a-a7c4-42ed9993f9e3` | Invalid Appilication Identity for Testing | no | -- |
| `AZURE_INVALID_ID` | ex. `03012fadBADX424a-a7c4-42ed9993f9e3` | Invalid Identity for Testing | no | -- |
......@@ -106,26 +108,7 @@ Java version: 1.8.0_212, vendor: AdoptOpenJDK, runtime: /usr/lib/jvm/jdk8u212-b0
...
```
You may need to configure access to the remote maven repository that holds the OSDU dependencies. A default file should live within `~/.m2/settings.xml`:
```bash
$ cat ~/.m2/settings.xml
<?xml version="1.0" encoding="UTF-8"?>
<settings xmlns="http://maven.apache.org/SETTINGS/1.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0 http://maven.apache.org/xsd/settings-1.0.0.xsd">
<servers>
<server>
<id>os-core</id>
<username>mvn-pat</username>
<!-- Treat this auth token like a password. Do not share it with anyone, including Microsoft support. -->
<!-- The generated token expires on or before 11/14/2019 -->
<password>$PERSONAL_ACCESS_TOKEN_GOES_HERE</password>
</server>
</servers>
</settings>
```
_A settings file is also conveniently located in ./.mvn/community-maven.settings.xml which is also used for CI/CD processes._
### Build, Run and Test the application Locally
......@@ -156,15 +139,15 @@ Jet Brains - the authors of Intellij IDEA, have written an [excellent guide](htt
Here is how you can configure user entitlements via the Azure specific API.
###Create a new user or service principal.
###Create a new user or service principal.
The request body contains the user or service principal to create in JSON format. At a minimum, you must specify the required properties for the user or service principal.
The request body contains the user or service principal to create in JSON format. At a minimum, you must specify the required properties for the user or service principal.
The required properties for a user or service principal is the uid and one tenant with one group. The uid is either a user email or a service principal UUID.
You can optionally specify any additional tenants and groups.
####Permissions
The following permission is required to call this API.
The following permission is required to call this API.
service.entitlements.admin
......@@ -223,15 +206,15 @@ Here is an example of the request.
In the request body, supply a JSON representation of user object.
###Update a user or service principal.
###Update a user or service principal.
The request body contains the user or service principal to update in JSON format. At a minimum, you must specify the required properties for the user or service principal.
The request body contains the user or service principal to update in JSON format. At a minimum, you must specify the required properties for the user or service principal.
The required properties for a user or service principal is the uid and one tenant with one group. The uid is either a user email or a service principal UUID.
You can optionally specify any additional tenants and groups.
####Permissions
The following permission is required to call this API.
The following permission is required to call this API.
service.entitlements.admin
......
# This file contains the essential configs for the osdu on azure helm chart
global:
# Service(s) Replica Count
replicaCount: 2
################################################################################
# Specify the Gitlab branch being used for image creation
# ie: community.opengroup.org:5555/osdu/platform/security-and-compliance/entitlements-azure/{{ .Values.global.branch }}/entitlements-azure:latest
#
image:
repository: #{container-registry}#.azurecr.io
branch: #{ENVIRONMENT_NAME}#
tag: #{Build.SourceVersion}#
......@@ -64,35 +64,40 @@ spec:
- name: AZURE_CLIENT_ID
valueFrom:
secretKeyRef:
name: clientid
key: clientid
name: active-directory
key: principal-clientid
- name: AZURE_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: clientpassword
key: clientpassword
name: active-directory
key: principal-clientpassword
- name: AZURE_TENANT_ID
valueFrom:
configMapKeyRef:
name: osdu-svc-properties
key: ENV_TENANT_ID
secretKeyRef:
name: active-directory
key: tenantid
- name: AZURE_SP_OBJECT_ID
valueFrom:
secretKeyRef:
name: active-directory
key: principal-objectid
- name: aad_client_id
valueFrom:
secretKeyRef:
name: appid
key: appid
name: active-directory
key: application-appid
- name: appinsights_key
valueFrom:
secretKeyRef:
name: appinsights
name: central-logging
key: appinsights
- name: azure_activedirectory_session_stateless
value: "true"
- name: azure_activedirectory_AppIdUri
value: "api://$(aad_client_id)"
- name: cosmosdb_database
value: osdu-db
- name: service_domain_name
value: contoso.com
- name: partition_service_endpoint
value: http://partition/api/partition/v1
- name: azure_istioauth_enabled
value: "true"
- name: azure_activedirectory_AppIdUri
value: "api://$(aad_client_id)"
# Copyright © Microsoft Corporation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
trigger:
batch: true
branches:
include:
- master
paths:
exclude:
- /**/*.md
- .gitignore
resources:
repositories:
- repository: FluxRepo
type: git
name: k8-gitops-manifests
- repository: TemplateRepo
type: git
name: infra-azure-provisioning
variables:
- group: 'Azure - OSDU'
- group: 'Azure - OSDU Secrets'
- name: serviceName
value: "entitlements-azure"
- name: chartPath
value: "devops/azure/chart"
- name: valuesFile
value: "devops/azure/chart/helm-config.yaml"
- name: 'MANIFEST_REPO'
value: $[ resources.repositories['FluxRepo'].name ]
- name: SKIP_TESTS
value: 'false'
stages:
- template: /devops/build-stage.yml@TemplateRepo
parameters:
copyFileContents: |
pom.xml
maven/settings.xml
target/*.jar
copyFileContentsToFlatten: ''
mavenOptions: ''
serviceBase: ${{ variables.serviceName }}
testingRootFolder: 'integration-tests'
chartPath: ${{ variables.chartPath }}
- template: /devops/deploy-stages.yml@TemplateRepo
parameters:
serviceName: ${{ variables.serviceName }}
chartPath: ${{ variables.chartPath }}
valuesFile: ${{ variables.valuesFile }}
skipDeploy: ${{ variables.SKIP_DEPLOY }}
skipTest: ${{ variables.SKIP_TESTS }}
providers:
- name: Azure
environments: ['dev']
# Copyright © Microsoft Corporation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
trigger:
batch: true
branches:
include:
- master
paths:
exclude:
- /**/*.md
- .gitignore
resources:
repositories:
- repository: FluxRepo
type: git
name: k8-gitops-manifests
- repository: TemplateRepo
type: git
name: infra-azure-provisioning
variables:
- group: 'Azure - OSDU'
- group: 'Azure - OSDU Secrets'
- name: serviceName
value: "entitlements-azure"
- name: chartPath
value: "devops/azure/chart"
- name: valuesFile
value: "devops/azure/chart/helm-config.yaml"
- name: 'MANIFEST_REPO'
value: $[ resources.repositories['FluxRepo'].name ]
- name: SKIP_TESTS
value: 'false'
stages:
- template: /devops/build-stage.yml@TemplateRepo
parameters:
copyFileContents: |
pom.xml
maven/settings.xml
target/*.jar
copyFileContentsToFlatten: ''
mavenOptions: ''
serviceBase: ${{ variables.serviceName }}
testingRootFolder: 'integration-tests'
chartPath: ${{ variables.chartPath }}
- template: /devops/deploy-stages.yml@TemplateRepo
parameters:
serviceName: ${{ variables.serviceName }}
chartPath: ${{ variables.chartPath }}
valuesFile: ${{ variables.valuesFile }}
skipDeploy: ${{ variables.SKIP_DEPLOY }}
skipTest: ${{ variables.SKIP_TESTS }}
providers:
- name: Azure
environments: ['demo']
......@@ -68,7 +68,7 @@ spec:
secretProviderClass: azure-keyvault
containers:
- name: osdu-flux-entitlements-azure
image: community.opengroup.org:5555/osdu/platform/security-and-compliance/entitlements-azure/entitlements-azure-master:latest
image: community.opengroup.org:5555/osdu/platform/security-and-compliance/entitlements-azure/entitlements-azure-trusted-partition-svc:latest
imagePullPolicy: Always
ports:
- containerPort: 80
......@@ -95,33 +95,45 @@ spec:
- name: AZURE_CLIENT_ID
valueFrom:
secretKeyRef:
name: clientid
key: clientid
name: active-directory
key: principal-clientid
- name: AZURE_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: clientpassword
key: clientpassword
name: active-directory
key: principal-clientpassword
- name: AZURE_TENANT_ID
valueFrom:
configMapKeyRef:
name: osdu-svc-properties
key: ENV_TENANT_ID
secretKeyRef:
name: active-directory
key: tenantid
- name: AZURE_SP_OBJECT_ID
valueFrom:
secretKeyRef:
name: active-directory
key: principal-objectid
- name: aad_client_id
valueFrom:
secretKeyRef:
name: appid
key: appid
name: active-directory
key: application-appid
- name: appinsights_key
valueFrom:
secretKeyRef:
name: appinsights
name: central-logging
key: appinsights
- name: azure_activedirectory_session_stateless
value: "true"
- name: azure_activedirectory_AppIdUri
value: "api://$(aad_client_id)"
- name: cosmosdb_database
value: osdu-db
- name: service_domain_name
value: contoso.com
- name: partition_service_endpoint
value: http://partition/api/partition/v1
# If Istio is enabled L#126 is true and L# 127-130 removed
- name: azure_istioauth_enabled
value: "false"
- name: azure_activedirectory_session_stateless
value: "true"
- name: azure_activedirectory_AppIdUri
value: "api://$(aad_client_id)"
......@@ -26,7 +26,7 @@
</parent>
<groupId>org.opengroup.osdu.azure</groupId>
<artifactId>entitlements</artifactId>
<version>0.0.3-SNAPSHOT</version>
<version>0.0.4-SNAPSHOT</version>
<name>entitlements</name>
<description>Entitlements Service on Azure</description>
......@@ -60,7 +60,7 @@
<springfox-version>2.7.0</springfox-version>
<reactor.netty.version>0.9.0.RELEASE</reactor.netty.version>
<reactor.core.version>3.3.0.RELEASE</reactor.core.version>
<osdu.azurecore.version>0.0.28</osdu.azurecore.version>
<osdu.azurecore.version>0.0.33</osdu.azurecore.version>
</properties>
<licenses>
......@@ -75,7 +75,7 @@
<dependency>
<groupId>org.opengroup.osdu</groupId>
<artifactId>os-core-common</artifactId>
<version>0.3.4</version>
<version>0.3.12</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
......
......@@ -14,21 +14,17 @@
package org.opengroup.osdu.azure.entitlements.di;
import com.azure.security.keyvault.secrets.SecretClient;
import com.azure.security.keyvault.secrets.models.KeyVaultSecret;
import lombok.Getter;
import org.springframework.beans.factory.annotation.Autowired;
import org.opengroup.osdu.azure.util.AzureServicePrincipal;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import javax.annotation.PostConstruct;
import javax.inject.Named;
@Configuration
@Getter
public class AzureBootstrapConfig {
@Value("${azure.keyvault.url}")
private String keyVaultURL;
......@@ -36,56 +32,28 @@ public class AzureBootstrapConfig {
private String cosmosDBName;
@Value("${azure.application-insights.instrumentation-key}")
private String appInsightsKey ;
private String appInsightsKey;
@Value("${spring.application.name}")
private String springAppName ;
@Value("${azure.oath2.uri}")
private String oath2URI;
private String springAppName;
@Value("${azure.graph.uri}")
private String graphURI;
@Value("${azure.graph.resourceid}")
private String graphResourceId ;
private String graphResourceId;
@Value("${azure.graph-api.uri}")
private String graphApiURI ;
private String graphApiURI;
@Value("${azure.graph-api.appid}")
private String graphApiAppId ;
private String graphApiAppId;
@Value("${azure.graph-api.version}")
private String graphApiVersion ;
private String appDevSpId;
@Autowired
private SecretClient secretClient;
private String graphApiVersion;
@PostConstruct
public void setAppDevSpId() {
appDevSpId = getKeyVaultSecret("app-dev-sp-id");
}
@Bean
@Named("APP_DEV_SP_TENANT_ID")
public String appDevSpTenantId() {
return getKeyVaultSecret("app-dev-sp-tenant-id");
}
@Bean
@Named("APP_DEV_SP_USERNAME")
public String appDevSpUsername() {
return getKeyVaultSecret("app-dev-sp-username");
}
@Bean
@Named("APP_DEV_SP_PASSWORD")
public String appDevSpPassword() {
return getKeyVaultSecret("app-dev-sp-password");
}
@Value("${azure.activedirectory.sp-object-id}")
private String azureSPObjectId;
@Bean
@Named("APPINSIGHTS_KEY")
......@@ -111,54 +79,38 @@ public class AzureBootstrapConfig {
return keyVaultURL;
}
@Bean
@Named("OATH2_URI")
public String oath2URI() { return oath2URI; }
@Bean
@Named("GRAPH_URI")
public String graphURI() { return graphURI; }
public String graphURI() {
return graphURI;
}
@Bean
@Named("GRAPH_RESOURCEID")
public String graphResourceId() { return graphResourceId; }
public String graphResourceId() {
return graphResourceId;
}
@Bean
@Named("GRAPH_API_URI")
public String graphApiURI() { return graphApiURI; }
public String graphApiURI() {
return graphApiURI;
}
@Bean
@Named("GRAPH_API_APPID")
public String graphApiAppId() { return graphApiAppId; } ;
public String graphApiAppId() {
return graphApiAppId;
}
@Bean
@Named("GRAPH_API_VERSION")
public String graphApiVersion() { return graphApiVersion; } ;
@Bean
@Named("COSMOS_ENDPOINT")
public String cosmosEndpoint() {
return getKeyVaultSecret("cosmos-endpoint");
public String graphApiVersion() {
return graphApiVersion;
}
@Bean
@Named("COSMOS_KEY")
public String cosmosKey() {
return getKeyVaultSecret("cosmos-primary-key");
}
String getKeyVaultSecret(String secretName) {
KeyVaultSecret secret = secretClient.getSecret(secretName);
if (secret == null) {
throw new IllegalStateException(String.format("No secret found with name %s", secretName));
}
String secretValue = secret.getValue();
if (secretValue == null) {
throw new IllegalStateException(String.format(
"Secret unexpectedly missing from KeyVault response for secret with name %s", secretName));
}
return secretValue;
public AzureServicePrincipal getAzureServicePrincipal() {
return new AzureServicePrincipal();
}
}
// Copyright © Microsoft Corporation
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package org.opengroup.osdu.azure.entitlements.di;
import org.opengroup.osdu.core.common.model.http.DpsHeaders;
import org.opengroup.osdu.core.common.provider.interfaces.ITenantFactory;
import org.opengroup.osdu.core.common.model.tenant.TenantInfo;
import org.springframework.beans.factory.FactoryBean;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Scope;
import org.springframework.context.annotation.ScopedProxyMode;
import org.springframework.stereotype.Component;
@Component("TenantInfoProvider")