apply modification in headerInfo and RequestInfo

indexer-service-azure/pom.xml

@@ -85,16 +85,6 @@
             <artifactId>msal4j</artifactId>
             <version>0.5.0-preview</version>
         </dependency>
-<!--        <dependency>-->
-<!--            <groupId>org.json</groupId>-->
-<!--            <artifactId>json</artifactId>-->
-<!--            <version>20090211</version>-->
-<!--        </dependency>-->
-        <!-- Spring 3 dependencies -->
-<!--        <dependency>-->
-<!--            <groupId>org.springframework.boot</groupId>-->
-<!--            <artifactId>spring-boot-starter-thymeleaf</artifactId>-->
-<!--        </dependency>-->
     </dependencies>
 
     <build>

indexer-service-azure/src/main/java/org/opendes/indexer/azure/api/AADController.java

@@ -23,25 +23,7 @@ public class AADController {
 
         String token  =  service.getIdToken("common");
 
-        String oboApiCallRes = callOboService(token);
-
-        return new ResponseEntity<>(HttpStatus.OK);
-    }
-
-    private String callOboService(String accessToken){
-        RestTemplate restTemplate = new RestTemplate();
-
-        HttpHeaders headers = new HttpHeaders();
-        headers.setContentType(MediaType.APPLICATION_JSON);
-
-        headers.set("Authorization", "Bearer " + accessToken);
-
-        HttpEntity<String> entity = new HttpEntity<>(null, headers);
-
-        String result = restTemplate.exchange("http://localhost:8081/api", HttpMethod.GET,
-                entity, String.class).getBody();
-
-        return result;
+        return new ResponseEntity<String>(token, HttpStatus.OK);
     }
 }
 

indexer-service-azure/src/main/java/org/opendes/indexer/azure/api/Hello.java

-package org.opendes.indexer.azure.api;
-
-import org.opendes.core.util.IServiceAccountJwtClient;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.http.HttpStatus;
-import org.springframework.http.ResponseEntity;
-import org.springframework.web.bind.annotation.GetMapping;
-import org.springframework.web.bind.annotation.PostMapping;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RestController;
-
-import javax.annotation.security.PermitAll;
-
-@RestController
-@RequestMapping
-public class Hello {
-
-    @GetMapping("/hello")
-    @PermitAll
-   public String Default() {
-       return "Hello Azure Indexer!!!";
-   }
-
-}

indexer-service-azure/src/main/java/org/opendes/indexer/azure/security/BasicAuthSecurityConfig.java

+//  Copyright © Microsoft Corporation
+//
+//  Licensed under the Apache License, Version 2.0 (the "License");
+//  you may not use this file except in compliance with the License.
+//  You may obtain a copy of the License at
+//
+//       http://www.apache.org/licenses/LICENSE-2.0
+//
+//  Unless required by applicable law or agreed to in writing, software
+//  distributed under the License is distributed on an "AS IS" BASIS,
+//  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//  See the License for the specific language governing permissions and
+//  limitations under the License.
+
+package org.opendes.indexer.azure.security;
+
+import com.microsoft.azure.spring.autoconfigure.aad.AADAppRoleStatelessAuthenticationFilter;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+
+@EnableWebSecurity
+@EnableGlobalMethodSecurity(prePostEnabled = true)
+public class BasicAuthSecurityConfig extends WebSecurityConfigurerAdapter {
+    @Autowired
+    private AADAppRoleStatelessAuthenticationFilter appRoleAuthFilter;
+
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+        http
+                .csrf().disable()
+                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER)
+                .and()
+                .authorizeRequests()
+                .antMatchers("/", "/index.html","/obo_api",
+                        "/index-worker", "/_dps/task-handlers", "/_dps/task-handlers/**",
+                        "/reindex",
+                        "/v2/api-docs",
+                        "/swagger-resources/**",
+                        "/configuration/security",
+                        "/swagger",
+                        "/swagger-ui.html",
+                        "/webjars/**").permitAll()
+                .anyRequest().authenticated()
+                .and()
+                .addFilterBefore(appRoleAuthFilter, UsernamePasswordAuthenticationFilter.class);
+    }
+}

indexer-service-azure/src/main/java/org/opendes/indexer/azure/security/WhoamiController.java

+//  Copyright © Microsoft Corporation
+//
+//  Licensed under the Apache License, Version 2.0 (the "License");
+//  you may not use this file except in compliance with the License.
+//  You may obtain a copy of the License at
+//
+//       http://www.apache.org/licenses/LICENSE-2.0
+//
+//  Unless required by applicable law or agreed to in writing, software
+//  distributed under the License is distributed on an "AS IS" BASIS,
+//  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//  See the License for the specific language governing permissions and
+//  limitations under the License.
+
+package org.opendes.indexer.azure.security;
+
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.ResponseBody;
+
+@Controller
+public class WhoamiController {
+    @RequestMapping(value = {"/", "/whoami"})
+    @ResponseBody
+    public String whoami() {
+        final Authentication auth = SecurityContextHolder.getContext().getAuthentication();
+
+        String userName = auth.getName();
+        String roles = String.valueOf(auth.getAuthorities());
+        String details = String.valueOf(auth.getPrincipal());
+
+        return "user: " + userName + "<BR>" +
+                "roles: " + roles + "<BR>" +
+                "details: " + details;
+    }
+}
+

indexer-service-azure/src/main/java/org/opendes/indexer/azure/util/HeadersInfoAzureImpl.java

@@ -42,8 +42,6 @@ public class HeadersInfoAzureImpl implements IHeadersInfo {
         FORBIDDEN_FROM_LOGGING.add(DpsHeaders.ON_BEHALF_OF);
     }
 
-    private static final HashSet<String> FORWARDED_HEADERS = new HashSet<>();
-
     @Override
     public DpsHeaders getHeaders() {
         if (headersMap == null) {
@@ -78,7 +76,7 @@ public class HeadersInfoAzureImpl implements IHeadersInfo {
         Preconditions.checkNotNull(input, "input headers cannot be null");
 
         DpsHeaders output = DpsHeaders.createFromMap(input);
-        output.addCorrelationIdIfMissing();
+        //output.addCorrelationIdIfMissing();
         return output;
     }
 

indexer-service-azure/src/main/java/org/opendes/indexer/azure/util/RequestInfoImpl.java

@@ -3,14 +3,12 @@ package org.opendes.indexer.azure.util;
 import com.google.common.base.Strings;
 import org.apache.http.HttpStatus;
 import org.opendes.core.model.DeploymentEnvironment;
-import org.opendes.core.util.AppException;
-import org.opendes.core.util.Config;
-import org.opendes.core.util.IHeadersInfo;
-import org.opendes.core.util.IServiceAccountJwtClient;
+import org.opendes.core.util.*;
 import org.opendes.indexer.util.IRequestInfo;
 import org.opengroup.osdu.client.api.DpsHeaders;
 import org.opengroup.osdu.client.multitenancy.TenantInfo;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Component;
 import org.springframework.web.context.annotation.RequestScope;
 
@@ -23,6 +21,9 @@ import static org.opengroup.osdu.client.api.DpsHeaders.AUTHORIZATION;
 @RequestScope
 public class RequestInfoImpl implements IRequestInfo {
 
+    @Autowired
+    private DpsHeaders dpsHeaders;
+
     @Autowired
     private IHeadersInfo headersInfo;
     @Autowired
@@ -31,8 +32,13 @@ public class RequestInfoImpl implements IRequestInfo {
     @Autowired
     private TenantInfo tenantInfo;
 
+    @Value("${DEPLOYMENT_ENVIRONMENT}")
+    private String DEPLOYMENT_ENVIRONMENT;
+
+
     @Override
     public DpsHeaders getHeaders() {
+
         return this.headersInfo.getHeaders();
     }
 
@@ -53,19 +59,18 @@ public class RequestInfoImpl implements IRequestInfo {
 
     @Override
     public DpsHeaders getHeadersWithDwdAuthZ() {
-        DpsHeaders output = this.headersInfo.getHeaders();
-        output.put(AUTHORIZATION, this.checkOrGetAuthorizationHeader());
-        return output;
+        this.dpsHeaders.put(AUTHORIZATION, this.checkOrGetAuthorizationHeader());
+        return this.headersInfo.getHeaders();
     }
 
     @Override
-    public boolean isCronRequest() { return false; }
+    public boolean isCronRequest() { return false;}
 
     @Override
-    public boolean isTaskQueueRequest() { return false; }
+    public boolean isTaskQueueRequest() {return false;}
 
-    private String checkOrGetAuthorizationHeader() {
-        if (Config.getDeploymentEnvironment() == DeploymentEnvironment.LOCAL) {
+    public String checkOrGetAuthorizationHeader() {
+        if (DeploymentEnvironment.valueOf(DEPLOYMENT_ENVIRONMENT) == DeploymentEnvironment.LOCAL) {
             String authHeader = this.headersInfo.getHeaders().getAuthorization();
             if (Strings.isNullOrEmpty(authHeader)) {
                 throw new AppException(HttpStatus.SC_UNAUTHORIZED, "Invalid authorization header", "Authorization token cannot be empty");
@@ -75,5 +80,4 @@ public class RequestInfoImpl implements IRequestInfo {
             return "Bearer " + this.serviceAccountJwtClient.getIdToken(tenantInfo.getName());
         }
     }
-
 }

indexer-service-azure/src/main/java/org/opendes/indexer/azure/util/ServiceAccountJwtClientImpl.java

 package org.opendes.indexer.azure.util;
 
+import com.auth0.jwt.JWT;
 import com.auth0.jwt.exceptions.JWTDecodeException;
-import com.microsoft.aad.msal4j.*;
+import com.microsoft.aad.adal4j.AuthenticationContext;
+import com.microsoft.aad.adal4j.AuthenticationResult;
+import com.microsoft.aad.adal4j.ClientCredential;
 import org.apache.http.HttpStatus;
 import org.opendes.core.cache.JwtCache;
 import org.opendes.core.logging.JaxRsDpsLog;
@@ -19,6 +22,7 @@ import org.springframework.web.context.annotation.RequestScope;
 
 
 import javax.naming.ServiceUnavailableException;
+import java.net.MalformedURLException;
 import java.util.*;
 import java.util.concurrent.*;
 
@@ -31,114 +35,60 @@ public class ServiceAccountJwtClientImpl implements IServiceAccountJwtClient {
     @Autowired
     private IHeadersInfo headersInfoAzure;
     @Autowired
+    private DpsHeaders dpsHeaders;
+    @Autowired
     private JwtCache cacheService;
     @Autowired
     private JaxRsDpsLog log;
 
     @Autowired
     private AADConfiguration configuration;
-//
-//    public String getIdToken(String tenantName) {
-//        this.log.info("Tenant name received for auth token is: " + tenantName);
-//        TenantInfo tenant = this.tenantInfoServiceProvider.getTenantInfo(tenantName);
-//        if (tenant == null) {
-//            this.log.error("Invalid tenant name receiving from azure");
-//            throw new AppException(HttpStatus.SC_BAD_REQUEST, "Invalid tenant Name", "Invalid tenant Name from azure");
-//        }
-//        String ACCESS_TOKEN = "";
-//        try {
-//
-//            IdToken cachedToken = this.cacheService.get(tenant.getServiceAccount());
-//            this.headersInfoAzure.getHeaders().put(DpsHeaders.USER_EMAIL, tenant.getServiceAccount());
-//
-//            if (!IdToken.refreshToken(cachedToken)) {
-//                ACCESS_TOKEN = cachedToken.getTokenValue();
-//            }
-//
-//            ExecutorService service = Executors.newFixedThreadPool(1);
-//            AuthenticationContext context = null;
-//
-//            try {
-//                context = new AuthenticationContext(configuration.getAuthority(), false, service);
-//                ClientCredential credential = new ClientCredential(configuration.getClientId(), configuration.getSecretKey());
-//                Future<AuthenticationResult> future = context.acquireToken(configuration.getOboApi(), credential, null);
-//
-//                ACCESS_TOKEN =  future.get().getAccessToken();
-//
-//                if (future == null) {
-//                    log.error(String.format("Azure Authentication: %s", future.get().getAccessToken()));
-//                    throw new AppException(HttpStatus.SC_FORBIDDEN, "Access denied", "The user is not authorized to perform this action");
-//                }
-//                IdToken idToken = IdToken.builder().tokenValue(ACCESS_TOKEN).expirationTimeMillis(JWT.decode(ACCESS_TOKEN).getExpiresAt().getTime()).build();
-//
-//                this.cacheService.put(tenant.getServiceAccount(), idToken);
-//
-//            } catch (InterruptedException e) {
-//                e.printStackTrace();
-//            } catch (ExecutionException e) {
-//                e.printStackTrace();
-//            } catch (MalformedURLException e) {
-//                e.printStackTrace();
-//            } finally {
-//                service.shutdown();
-//            }
-//        } catch (JWTDecodeException e) {
-//            throw new AppException(HttpStatus.SC_INTERNAL_SERVER_ERROR, "Persistence error", "Invalid token, error decoding", e);
-//        } catch (AppException e) {
-//            throw e;
-//        } catch (Exception e) {
-//            throw new AppException(HttpStatus.SC_INTERNAL_SERVER_ERROR, "Persistence error", "Error generating token", e);
-//        }
-//
-//        return ACCESS_TOKEN;
-//    }
 
     public String getIdToken(String tenantName) {
-
         this.log.info("Tenant name received for auth token is: " + tenantName);
         TenantInfo tenant = this.tenantInfoServiceProvider.getTenantInfo(tenantName);
         if (tenant == null) {
             this.log.error("Invalid tenant name receiving from azure");
             throw new AppException(HttpStatus.SC_BAD_REQUEST, "Invalid tenant Name", "Invalid tenant Name from azure");
         }
-
-        String authToken = "";
-        IAuthenticationResult updatedResult;
+        String ACCESS_TOKEN = "";
         try {
 
             IdToken cachedToken = this.cacheService.get(tenant.getServiceAccount());
             this.headersInfoAzure.getHeaders().put(DpsHeaders.USER_EMAIL, tenant.getServiceAccount());
+            this.dpsHeaders.put(DpsHeaders.USER_EMAIL, tenant.getServiceAccount());
 
             if (!IdToken.refreshToken(cachedToken)) {
-               authToken = cachedToken.getTokenValue();
-               return authToken;
+                ACCESS_TOKEN = cachedToken.getTokenValue();
             }
 
-            ConfidentialClientApplication application = ConfidentialClientApplication.builder(
-                    configuration.getClientId(),
-                    ClientCredentialFactory.create(configuration.getSecretKey()))
-                    .authority(configuration.getAuthority())
-                    .build();
+            ExecutorService service = Executors.newFixedThreadPool(1);
+            AuthenticationContext context = null;
+
+            try {
+                context = new AuthenticationContext(configuration.getAuthority(), false, service);
+                ClientCredential credential = new ClientCredential(configuration.getClientId(), configuration.getSecretKey());
+                Future<AuthenticationResult> future = context.acquireToken(configuration.getOboApi(), credential, null);
+
+                ACCESS_TOKEN =  future.get().getAccessToken();
 
-            SilentParameters silentParameters =
-                    SilentParameters.builder(Collections.singleton(configuration.getOboApi()))
-                            .build();
-            CompletableFuture<IAuthenticationResult> auth = application.acquireTokenSilently(silentParameters);
+                if (future == null) {
+                    log.error(String.format("Azure Authentication: %s", future.get().getAccessToken()));
+                    throw new AppException(HttpStatus.SC_FORBIDDEN, "Access denied", "The user is not authorized to perform this action");
+                }
+                IdToken idToken = IdToken.builder().tokenValue(ACCESS_TOKEN).expirationTimeMillis(JWT.decode(ACCESS_TOKEN).getExpiresAt().getTime()).build();
 
-            updatedResult =  auth.join();
+                this.cacheService.put(tenant.getServiceAccount(), idToken);
 
-            if (updatedResult == null) {
-                throw new ServiceUnavailableException("authentication result was null");
+            } catch (InterruptedException e) {
+                e.printStackTrace();
+            } catch (ExecutionException e) {
+                e.printStackTrace();
+            } catch (MalformedURLException e) {
+                e.printStackTrace();
+            } finally {
+                service.shutdown();
             }
-//            if (updatedResult == null){
-//                OnBehalfOfParameters parameters =
-//                        OnBehalfOfParameters.builder(Collections.singleton(configuration.getOboApi()),
-//                                new UserAssertion(authToken))
-//                                .build();
-//
-//                updatedResult = application.acquireToken(parameters).join();
-//            }
-            authToken = updatedResult.accessToken();
         } catch (JWTDecodeException e) {
             throw new AppException(HttpStatus.SC_INTERNAL_SERVER_ERROR, "Persistence error", "Invalid token, error decoding", e);
         } catch (AppException e) {
@@ -147,6 +97,6 @@ public class ServiceAccountJwtClientImpl implements IServiceAccountJwtClient {
             throw new AppException(HttpStatus.SC_INTERNAL_SERVER_ERROR, "Persistence error", "Error generating token", e);
         }
 
-        return authToken;
+        return ACCESS_TOKEN;
     }
 }