Commit 0767a3dd authored by Matt Wise's avatar Matt Wise
Browse files

Merge branch 'aws-integration' into 'master'

CORS Fix, AWS Updates

See merge request !60
parents 37279d41 2bb268f5
Pipeline #29208 passed with stages
in 21 minutes and 41 seconds
......@@ -22,9 +22,13 @@ import org.opengroup.osdu.core.common.entitlements.IEntitlementsFactory;
import org.opengroup.osdu.core.common.http.json.HttpResponseBodyMapper;
import org.opengroup.osdu.notification.provider.interfaces.IAppProperties;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.beans.factory.config.AbstractFactoryBean;
import org.springframework.stereotype.Component;
import javax.inject.Inject;
@Component
public class EntitlementsClientFactory extends AbstractFactoryBean<IEntitlementsFactory> {
......@@ -43,4 +47,4 @@ public class EntitlementsClientFactory extends AbstractFactoryBean<IEntitlements
public Class<?> getObjectType() {
return IEntitlementsFactory.class;
}
}
\ No newline at end of file
}
......@@ -16,12 +16,14 @@
package org.opengroup.osdu.notification.logging;
import org.opengroup.osdu.core.common.http.ResponseHeadersFactory;
import org.opengroup.osdu.core.common.logging.ILogger;
import org.opengroup.osdu.core.common.model.http.DpsHeaders;
import org.opengroup.osdu.core.common.model.http.Request;
import org.opengroup.osdu.notification.di.RequestInfoExt;
import static org.opengroup.osdu.core.common.http.ResponseHeaders.STANDARD_RESPONSE_HEADERS;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Component;
import javax.servlet.*;
......@@ -43,6 +45,12 @@ public class ResponseLogFilter implements Filter {
@Autowired
private ILogger logger;
private ResponseHeadersFactory responseHeadersFactory = new ResponseHeadersFactory();
// defaults to * for any front-end, string must be comma-delimited if more than one domain
@Value("${ACCESS_CONTROL_ALLOW_ORIGIN_DOMAINS:*}")
String ACCESS_CONTROL_ALLOW_ORIGIN_DOMAINS;
@Override
public void init(FilterConfig filterConfig) {
//do nothing
......@@ -85,9 +93,9 @@ public class ResponseLogFilter implements Filter {
public void destroy() { }
private void setResponseHeaders(HttpServletResponse httpServletResponse) {
Map<String, List<Object>> standardHeaders = STANDARD_RESPONSE_HEADERS;
for (Map.Entry<String, List<Object>> header : standardHeaders.entrySet()) {
httpServletResponse.addHeader(header.getKey(), header.getValue().toString());
Map<String, String> responseHeaders = responseHeadersFactory.getResponseHeaders(ACCESS_CONTROL_ALLOW_ORIGIN_DOMAINS);
for (Map.Entry<String, String> header : responseHeaders.entrySet()) {
httpServletResponse.addHeader(header.getKey(), header.getValue());
}
}
}
......@@ -25,7 +25,7 @@
<java.version>8</java.version>
<maven.compiler.target>${java.version}</maven.compiler.target>
<maven.compiler.source>${java.version}</maven.compiler.source>
<os-core-common.version>0.3.27</os-core-common.version>
<os-core-common.version>0.3.28</os-core-common.version>
</properties>
<licenses>
......
......@@ -18,7 +18,14 @@ FROM amazoncorretto:8
ARG JAR_FILE=provider/notification-aws/target/*spring-boot.jar
# Harcoding this value since Notification-core requires this variable. AWS does not use it. Might change in future
ENV ENVIRONMENT=DEV
#Default to using self signed generated TLS cert
ENV USE_SELF_SIGNED_SSL_CERT true
WORKDIR /
COPY ${JAR_FILE} app.jar
COPY /provider/notification-aws/build-aws/ssl.sh /ssl.sh
COPY /provider/notification-aws/build-aws/entrypoint.sh /entrypoint.sh
EXPOSE 8080
ENTRYPOINT java $JAVA_OPTS -jar /app.jar
ENTRYPOINT ["/bin/sh", "-c", ". /entrypoint.sh"]
\ No newline at end of file
......@@ -27,9 +27,11 @@ phases:
runtime-versions:
java: corretto8
commands:
# fix error noted here: https://github.com/yarnpkg/yarn/issues/7866
- curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add -
- if [ $(echo $CODEBUILD_SOURCE_VERSION | grep -c ^refs/heads.*) -eq 1 ]; then echo "Branch name found"; else echo "This build only supports branch builds" && exit 1; fi
- apt-get update -y
- apt-get install -y maven
- apt-get update -y -qq > /dev/null
- apt-get install -y maven -qq >/dev/null
- java -version
- mvn -version
- mkdir -p /root/.m2
......@@ -56,7 +58,7 @@ phases:
- printenv
- echo "Building primary service assemblies..."
- mvn -B test install -pl notification-core,provider/notification-aws -Ddeployment.environment=prod
- mvn -ntp -B test install -pl notification-core,provider/notification-aws -Ddeployment.environment=prod
- echo "Building integration testing assemblies and gathering artifacts..."
- ./testing/notification-test-aws/build-aws/prepare-dist.sh
......
if [ -n $USE_SELF_SIGNED_SSL_CERT ];
then
export SSL_KEY_PASSWORD=$RANDOM$RANDOM$RANDOM;
export SSL_KEY_STORE_PASSWORD=$SSL_KEY_PASSWORD;
export SSL_KEY_STORE_DIR=/tmp/certs;
export SSL_KEY_STORE_NAME=osduonaws.p12;
export SSL_KEY_STORE_PATH=$SSL_KEY_STORE_DIR/$SSL_KEY_STORE_NAME;
export SSL_KEY_ALIAS=osduonaws;
./ssl.sh;
fi
java $JAVA_OPTS -jar /app.jar
\ No newline at end of file
# Copyright © 2021 Amazon Web Services
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#!/usr/bin/env bash
#Future: Support for using Amazon Cert Manager
# if [ "$1" == "webserver" ] && [ -n $ACM_CERTIFICATE_ARN ];
# then
# aws acm export-certificate --certificate-arn $ACM_CERTIFICATE_ARN --passphrase $(echo -n 'aws123' | openssl base64 -e) | jq -r '"\(.PrivateKey)"' > ${SSL_KEY_PATH}.enc
# openssl rsa -in ${SSL_KEY_PATH}.enc -out $SSL_KEY_PATH -passin pass:aws123
# aws acm get-certificate --certificate-arn $ACM_CERTIFICATE_ARN | jq -r '"\(.CertificateChain)"' > $SSL_CERT_PATH
# aws acm get-certificate --certificate-arn $ACM_CERTIFICATE_ARN | jq -r '"\(.Certificate)"' >> $SSL_CERT_PATH
# fi
if [ -n $USE_SELF_SIGNED_SSL_CERT ];
then
mkdir -p $SSL_KEY_STORE_DIR
pushd $SSL_KEY_STORE_DIR
keytool -genkeypair -alias $SSL_KEY_ALIAS -keyalg RSA -keysize 2048 -storetype PKCS12 -keystore $SSL_KEY_STORE_NAME -validity 3650 -keypass $SSL_KEY_PASSWORD -storepass $SSL_KEY_PASSWORD -dname "CN=localhost, OU=AWS, O=Energy, L=Houston, ST=TX, C=US"
popd
fi
......@@ -48,7 +48,7 @@
<dependency>
<groupId>org.opengroup.osdu.core.aws</groupId>
<artifactId>os-core-lib-aws</artifactId>
<version>0.6.0-SNAPSHOT</version>
<version>0.3.17</version>
</dependency>
<!-- https://mvnrepository.com/artifact/com.amazonaws/aws-java-sdk-secretsmanager -->
......
......@@ -79,10 +79,12 @@ public class AwsCognitoClient {
public static AWSCognitoIdentityProvider generateCognitoClient(String region)
{
return AWSCognitoIdentityProviderClientBuilder.standard()
.withCredentials(IAMConfig.amazonAWSCredentials())
.withRegion(region)
.build();
if (System.getenv("AWS_COGNITO_REGION") != null) {
region = System.getenv("AWS_COGNITO_REGION");
}
return AWSCognitoIdentityProviderClientBuilder.standard().
withCredentials(IAMConfig.amazonAWSCredentials()).
withRegion(region).build();
}
public void setPassword(String username, String password,String userPoolId){
......
# Copyright © 2020 Amazon Web Services
# Copyright 2020 Amazon Web Services
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
......@@ -43,3 +43,10 @@ logging.mdccontext.enabled=true
# if this is turned on then the service tries to connect to elastic search
management.health.elasticsearch.enabled=false
server.ssl.enabled=${SSL_ENABLED:true}
server.ssl.key-store-type=PKCS12
server.ssl.key-store=${SSL_KEY_STORE_PATH:/certs/osduonaws.p12}
server.ssl.key-alias=${SSL_KEY_ALIAS:osduonaws}
server.ssl.key-password=${SSL_KEY_PASSWORD:}
server.ssl.key-store-password=${SSL_KEY_STORE_PASSWORD:}
\ No newline at end of file
......@@ -42,7 +42,7 @@
<dependency>
<groupId>org.opengroup.osdu.core.aws</groupId>
<artifactId>os-core-lib-aws</artifactId>
<version>0.3.13</version>
<version>0.3.16</version>
</dependency>
<dependency>
<groupId>com.amazonaws</groupId>
......
......@@ -85,9 +85,14 @@ public class AwsCognitoClient {
public static AWSCognitoIdentityProvider generateCognitoClient()
{
return AWSCognitoIdentityProviderClientBuilder.standard()
.withCredentials(IAMConfig.amazonAWSCredentials())
.withRegion(AwsConfig.getAwsRegion())
.build();
String region = System.getenv("AWS_COGNITO_REGION");
AWSCognitoIdentityProviderClientBuilder builder = AWSCognitoIdentityProviderClientBuilder.standard()
.withCredentials(IAMConfig.amazonAWSCredentials());
if ( region!= null) {
builder.withRegion(region);
}else{
builder.withRegion(AwsConfig.getAwsRegion());
}
return builder.build();
}
}
......@@ -97,17 +97,17 @@ public class TestPubsubEndpointHMAC extends PubsubEndpointHMACTests {
try {
ClientResponse response = descriptor.run(this.getArg(), this.testUtils.getOpsToken());
Assert.assertEquals(this.error(response.getStatus() == 204 ? "" : (String)response.getEntity(String.class)), (long)this.expectedOkResponseCode(), (long)response.getStatus());
Assert.assertEquals("[GET, POST, PUT, DELETE, OPTIONS, HEAD, PATCH]", response.getHeaders().getFirst("Access-Control-Allow-Methods"));
Assert.assertEquals("[origin, content-type, accept, authorization, data-partition-id, correlation-id, appkey]", response.getHeaders().getFirst("Access-Control-Allow-Headers"));
Assert.assertEquals("[*]", response.getHeaders().getFirst("Access-Control-Allow-Origin"));
Assert.assertEquals("[true]", response.getHeaders().getFirst("Access-Control-Allow-Credentials"));
Assert.assertEquals("GET, POST, PUT, DELETE, OPTIONS, HEAD, PATCH", response.getHeaders().getFirst("Access-Control-Allow-Methods"));
Assert.assertEquals("origin, content-type, accept, authorization, data-partition-id, correlation-id, appkey", response.getHeaders().getFirst("Access-Control-Allow-Headers"));
Assert.assertEquals("*", response.getHeaders().getFirst("Access-Control-Allow-Origin"));
Assert.assertEquals("true", response.getHeaders().getFirst("Access-Control-Allow-Credentials"));
Assert.assertEquals("DENY", response.getHeaders().getFirst("X-Frame-Options"));
Assert.assertEquals("1; mode=block", response.getHeaders().getFirst("X-XSS-Protection"));
Assert.assertEquals("nosniff", response.getHeaders().getFirst("X-Content-Type-Options"));
Assert.assertEquals("[no-cache, no-store, must-revalidate]", response.getHeaders().getFirst("Cache-Control"));
Assert.assertEquals("[default-src 'self']", response.getHeaders().getFirst("Content-Security-Policy"));
Assert.assertEquals("[max-age=31536000; includeSubDomains]", response.getHeaders().getFirst("Strict-Transport-Security"));
Assert.assertEquals("[0]", response.getHeaders().getFirst("Expires"));
Assert.assertEquals("no-cache, no-store, must-revalidate", response.getHeaders().getFirst("Cache-Control"));
Assert.assertEquals("default-src 'self'", response.getHeaders().getFirst("Content-Security-Policy"));
Assert.assertEquals("max-age=31536000; includeSubDomains", response.getHeaders().getFirst("Strict-Transport-Security"));
Assert.assertEquals("0", response.getHeaders().getFirst("Expires"));
} finally {
this.deleteResource();
}
......
......@@ -26,6 +26,7 @@ import java.util.List;
import java.util.Map;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
public abstract class BaseTestTemplate extends TestBase {
......@@ -87,17 +88,18 @@ public abstract class BaseTestTemplate extends TestBase {
ClientResponse response = descriptor.run(getArg(), testUtils.getOpsToken());
assertEquals(error(response.getStatus() == 204 ? "" : response.getEntity(String.class)), expectedOkResponseCode(), response.getStatus());
assertEquals("[GET, POST, PUT, DELETE, OPTIONS, HEAD, PATCH]", response.getHeaders().getFirst("Access-Control-Allow-Methods"));
assertEquals("[origin, content-type, accept, authorization, data-partition-id, correlation-id, appkey]", response.getHeaders().getFirst("Access-Control-Allow-Headers"));
assertEquals("[*]", response.getHeaders().getFirst("Access-Control-Allow-Origin"));
assertEquals("[true]", response.getHeaders().getFirst("Access-Control-Allow-Credentials"));
assertEquals("GET, POST, PUT, DELETE, OPTIONS, HEAD, PATCH", response.getHeaders().getFirst("Access-Control-Allow-Methods"));
assertEquals("origin, content-type, accept, authorization, data-partition-id, correlation-id, appkey", response.getHeaders().getFirst("Access-Control-Allow-Headers"));
assertEquals("*", response.getHeaders().getFirst("Access-Control-Allow-Origin"));
assertEquals("true", response.getHeaders().getFirst("Access-Control-Allow-Credentials"));
assertEquals("DENY", response.getHeaders().getFirst("X-Frame-Options"));
assertEquals("1; mode=block", response.getHeaders().getFirst("X-XSS-Protection"));
assertEquals("nosniff", response.getHeaders().getFirst("X-Content-Type-Options"));
assertEquals("[no-cache, no-store, must-revalidate]", response.getHeaders().getFirst("Cache-Control"));
assertEquals("[default-src 'self']", response.getHeaders().getFirst("Content-Security-Policy"));
assertEquals("[max-age=31536000; includeSubDomains]", response.getHeaders().getFirst("Strict-Transport-Security"));
assertEquals("[0]", response.getHeaders().getFirst("Expires"));
assertEquals("no-cache, no-store, must-revalidate", response.getHeaders().getFirst("Cache-Control"));
assertEquals("default-src 'self'", response.getHeaders().getFirst("Content-Security-Policy"));
assertTrue(response.getHeaders().get("Strict-Transport-Security").get(0).contains("max-age=31536000"));
assertTrue(response.getHeaders().get("Strict-Transport-Security").get(0).contains("includeSubDomains"));
assertEquals("0", response.getHeaders().getFirst("Expires"));
} finally {
deleteResource();
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment