From 4259f60f310ef0bd9316007ef7fb851366ed8d6d Mon Sep 17 00:00:00 2001
From: "Riabokon Stanislav(EPAM)[GCP]" <stanislav_riabokon@epam.com>
Date: Tue, 17 Jan 2023 13:23:42 +0000
Subject: [PATCH] Removed aud (GONRG-6303)
---
devops/gcp/deploy/README.md | 1 -
devops/gcp/deploy/templates/configmap.yaml | 1 -
devops/gcp/deploy/values.yaml | 1 -
provider/notification-gcp/docs/gcp/README.md | 2 -
provider/notification-gcp/pom.xml | 2 +-
.../provider/gcp/util/JwtValidity.java | 36 +++---
.../util/ServiceAccountJwtGcpClientImpl.java | 36 +++---
.../resources/application-local.properties | 1 -
.../osdu/notification/util/Config.java | 2 +-
.../osdu/notification/util/GCPTestUtils.java | 84 +++++++------
.../util/GoogleServiceAccount.java | 116 ++++++++++--------
11 files changed, 152 insertions(+), 130 deletions(-)
diff --git a/devops/gcp/deploy/README.md b/devops/gcp/deploy/README.md
index df9605af7..d3cfe7b1b 100644
--- a/devops/gcp/deploy/README.md
+++ b/devops/gcp/deploy/README.md
@@ -36,7 +36,6 @@ First you need to set variables in **values.yaml** file using any code editor. S
**entitlementsHost** | entitlements service host address | string | `http://entitlements` | yes
**registerHost** | register service host address | string | `http://register` | yes
**partitionHost** | partition service host address | string | `http://partition` | yes
-**googleAudiences** | Client ID of Google Cloud Credentials, ex `123-abc123.apps.googleusercontent.com` | string | - | yes
### Deployment variables
diff --git a/devops/gcp/deploy/templates/configmap.yaml b/devops/gcp/deploy/templates/configmap.yaml
index c217ee88f..3099712be 100644
--- a/devops/gcp/deploy/templates/configmap.yaml
+++ b/devops/gcp/deploy/templates/configmap.yaml
@@ -12,5 +12,4 @@ data:
REGISTER_HOST: {{ .Values.data.registerHost | quote}}
PARTITION_HOST: {{ .Values.data.partitionHost | quote}}
{{- if not .Values.conf.onPremEnabled }}
- GOOGLE_AUDIENCES: {{ .Values.data.googleAudiences | quote}}
{{- end }}
diff --git a/devops/gcp/deploy/values.yaml b/devops/gcp/deploy/values.yaml
index 4d8f306b1..c166b37a1 100644
--- a/devops/gcp/deploy/values.yaml
+++ b/devops/gcp/deploy/values.yaml
@@ -5,7 +5,6 @@ data:
entitlementsHost: "http://entitlements"
registerHost: "http://register"
partitionHost: "http://partition"
- googleAudiences: ""
#Deployments
requestsCpu: "0.1"
requestsMemory: "256M"
diff --git a/provider/notification-gcp/docs/gcp/README.md b/provider/notification-gcp/docs/gcp/README.md
index c1418d03c..4410de7f1 100644
--- a/provider/notification-gcp/docs/gcp/README.md
+++ b/provider/notification-gcp/docs/gcp/README.md
@@ -37,7 +37,6 @@
| name | value | description | sensitive? | source |
|------------------------------|---------------------------------------|--------------------------------------------------------------------|------------|---------------------------------------------------|
| `APP_PROJECT` | ex `opendes` | Google Cloud Project Id | no | output of infrastructure deployment |
-| `GOOGLE_AUDIENCES` | ex `*****.apps.googleusercontent.com` | Client ID for getting access to cloud resources | yes | https://console.cloud.google.com/apis/credentials |
##### service account IAM roles
Also, the following IAM roles should be assigned to the service's Google service account (SA)
@@ -67,7 +66,6 @@ After the service has started it should be accessible via a web browser by visit
| `HMAC_SECRET` | ex`7a786376626e` | String in hex , must match pattern ^[a-zA-Z0-9]{8,30}+$ & be in register variable SUBSCRIBER_SECRET | yes | - |
| `REGISTER_BASE_URL` | `http://localhost:8081/api/register/v1` | Register service url | no | - |
| `NOTIFICATION_BASE_URL` | `http://localhost:8080/api/notification/v1/` | Notification service url | no | - |
-| `INTEGRATION_TEST_AUDIENCE` | `********` | Client application ID | yes | https://console.cloud.google.com/apis/credentials |
| `CLIENT_TENANT` | ex `opendes` | Client tenant | no | - |
| `OSDU_TENANT` | ex `osdu` | osdu tenant | no | - |
| `TOPIC_ID` | ex `records-changed` | PubSub topic id | no | https://console.cloud.google.com/cloudpubsub/topic |
diff --git a/provider/notification-gcp/pom.xml b/provider/notification-gcp/pom.xml
index 5cb26371a..2d3000afc 100644
--- a/provider/notification-gcp/pom.xml
+++ b/provider/notification-gcp/pom.xml
@@ -47,7 +47,7 @@
<dependency>
<groupId>org.opengroup.osdu</groupId>
<artifactId>core-lib-gcp</artifactId>
- <version>0.18.0</version>
+ <version>0.19.0-rc3</version>
</dependency>
<dependency>
diff --git a/provider/notification-gcp/src/main/java/org/opengroup/osdu/notification/provider/gcp/util/JwtValidity.java b/provider/notification-gcp/src/main/java/org/opengroup/osdu/notification/provider/gcp/util/JwtValidity.java
index 2685b9e71..3890e3ef7 100644
--- a/provider/notification-gcp/src/main/java/org/opengroup/osdu/notification/provider/gcp/util/JwtValidity.java
+++ b/provider/notification-gcp/src/main/java/org/opengroup/osdu/notification/provider/gcp/util/JwtValidity.java
@@ -1,19 +1,19 @@
/*
- Copyright 2020 Google LLC
- Copyright 2020 EPAM Systems, Inc
+ Copyright 2020-2023 Google LLC
+ Copyright 2020-2023 EPAM Systems, Inc
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
- http://www.apache.org/licenses/LICENSE-2.0
+ http://www.apache.org/licenses/LICENSE-2.0
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
- */
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+*/
package org.opengroup.osdu.notification.provider.gcp.util;
@@ -24,11 +24,11 @@ import lombok.NoArgsConstructor;
@NoArgsConstructor
public class JwtValidity {
- String token;
- long expiryTime;
+ String token;
+ long expiryTime;
- JwtValidity(String jwt, long expiryTime) {
- this.token = jwt;
- this.expiryTime = expiryTime;
- }
+ JwtValidity(String jwt, long expiryTime) {
+ this.token = jwt;
+ this.expiryTime = expiryTime;
+ }
}
diff --git a/provider/notification-gcp/src/main/java/org/opengroup/osdu/notification/provider/gcp/util/ServiceAccountJwtGcpClientImpl.java b/provider/notification-gcp/src/main/java/org/opengroup/osdu/notification/provider/gcp/util/ServiceAccountJwtGcpClientImpl.java
index 2c5af0c72..4d5261b12 100644
--- a/provider/notification-gcp/src/main/java/org/opengroup/osdu/notification/provider/gcp/util/ServiceAccountJwtGcpClientImpl.java
+++ b/provider/notification-gcp/src/main/java/org/opengroup/osdu/notification/provider/gcp/util/ServiceAccountJwtGcpClientImpl.java
@@ -1,19 +1,19 @@
/*
- Copyright 2020 Google LLC
- Copyright 2020 EPAM Systems, Inc
+ Copyright 2020-2023 Google LLC
+ Copyright 2020-2023 EPAM Systems, Inc
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
- http://www.apache.org/licenses/LICENSE-2.0
+ http://www.apache.org/licenses/LICENSE-2.0
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
- */
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+*/
package org.opengroup.osdu.notification.provider.gcp.util;
@@ -28,12 +28,10 @@ import org.springframework.stereotype.Component;
@RequiredArgsConstructor
public class ServiceAccountJwtGcpClientImpl implements IServiceAccountJwtClient {
- private final TokenProvider tokenProvider;
+ private final TokenProvider tokenProvider;
- public String getIdToken(String tenantName) {
- log.debug("Tenant name received for auth token is: {}", tenantName);
- return "Bearer " + tokenProvider.getIdToken();
- }
+ public String getIdToken(String tenantName) {
+ log.debug("Tenant name received for auth token is: {}", tenantName);
+ return "Bearer " + tokenProvider.getIdToken();
+ }
}
-
-
diff --git a/provider/notification-gcp/src/main/resources/application-local.properties b/provider/notification-gcp/src/main/resources/application-local.properties
index ec8e96864..0aba93ff4 100644
--- a/provider/notification-gcp/src/main/resources/application-local.properties
+++ b/provider/notification-gcp/src/main/resources/application-local.properties
@@ -20,7 +20,6 @@ logging.level.org.springframework.web=${LOG_LEVEL:DEBUG}
app.entitlements=https://community.gcp.gnrg-osdu.projects.epam.com/entitlements/v2
app.register=https://community.gcp.gnrg-osdu.projects.epam.com/api/register/v1
app.project=nice-etching-277309
-google-audiences=689762842995-pv217jo3k8j803kk6gqf52qb5amos3a9.apps.googleusercontent.com
service.token.provider=GCP
partition-auth-enabled=true
diff --git a/testing/notification-test-core/src/main/java/org/opengroup/osdu/notification/util/Config.java b/testing/notification-test-core/src/main/java/org/opengroup/osdu/notification/util/Config.java
index 8f7655b27..accd83284 100644
--- a/testing/notification-test-core/src/main/java/org/opengroup/osdu/notification/util/Config.java
+++ b/testing/notification-test-core/src/main/java/org/opengroup/osdu/notification/util/Config.java
@@ -37,7 +37,7 @@ public class Config {
public static Config Instance() {
String env = getEnvironment();
config.ClientTenant = getEnvironmentVariableOrDefaultValue("CLIENT_TENANT", "nonexistenttenant");
- config.IntegrationAudience = getEnvironmentVariableOrDefaultValue("INTEGRATION_TEST_AUDIENCE", "245464679631-ktfdfpl147m1mjpbutl00b3cmffissgq.apps.googleusercontent.com");
+ config.IntegrationAudience = "osdu";
config.OsduTenant = getEnvironmentVariableOrDefaultValue("OSDU_TENANT", "opendes");
config.Topic = getEnvironmentVariableOrDefaultValue("TOPIC_ID", "records-changed");
config.TimeOutSeconds = getEnvironmentVariableOrDefaultValue("TIME_OUT_SECONDS", "60");
diff --git a/testing/notification-test-gcp/src/test/java/org/opengroup/osdu/notification/util/GCPTestUtils.java b/testing/notification-test-gcp/src/test/java/org/opengroup/osdu/notification/util/GCPTestUtils.java
index 639eeecb1..dc7766bed 100644
--- a/testing/notification-test-gcp/src/test/java/org/opengroup/osdu/notification/util/GCPTestUtils.java
+++ b/testing/notification-test-gcp/src/test/java/org/opengroup/osdu/notification/util/GCPTestUtils.java
@@ -1,3 +1,20 @@
+/*
+ Copyright 2020-2023 Google LLC
+ Copyright 2020-2023 EPAM Systems, Inc
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+*/
+
package org.opengroup.osdu.notification.util;
import com.google.common.base.Strings;
@@ -6,50 +23,43 @@ import lombok.extern.slf4j.Slf4j;
@Slf4j
public class GCPTestUtils extends TestUtils {
- public GCPTestUtils() {
+ public GCPTestUtils() {}
+ @Override
+ public synchronized String getOpsToken() throws Exception {
+ if (Strings.isNullOrEmpty(opsToken)) {
+ opsToken = getToken("DE_OPS_TESTER");
}
+ return opsToken;
+ }
- @Override
- public synchronized String getOpsToken() throws Exception {
- if(Strings.isNullOrEmpty(opsToken)) {
- opsToken = getToken("DE_OPS_TESTER");
- }
- return opsToken;
+ @Override
+ public synchronized String getAdminToken() throws Exception {
+ if (Strings.isNullOrEmpty(adminToken)) {
+ adminToken = getToken("DE_ADMIN_TESTER");
}
+ return adminToken;
+ }
- @Override
- public synchronized String getAdminToken() throws Exception {
- if(Strings.isNullOrEmpty(adminToken)) {
- adminToken = getToken("DE_ADMIN_TESTER");
- }
- return adminToken;
+ @Override
+ public synchronized String getEditorToken() throws Exception {
+ if (Strings.isNullOrEmpty(editorToken)) {
+ editorToken = getToken("DE_EDITOR_TESTER");
}
+ return editorToken;
+ }
- @Override
- public synchronized String getEditorToken() throws Exception {
- if(Strings.isNullOrEmpty(editorToken)) {
- editorToken = getToken("DE_EDITOR_TESTER");
- }
- return editorToken;
+ @Override
+ public synchronized String getNoAccessToken() throws Exception {
+ if (Strings.isNullOrEmpty(noAccessToken)) {
+ noAccessToken = getToken("DE_NO_ACCESS_TESTER");
}
+ return noAccessToken;
+ }
- @Override
- public synchronized String getNoAccessToken() throws Exception {
- if(Strings.isNullOrEmpty(noAccessToken)) {
- noAccessToken = getToken("DE_NO_ACCESS_TESTER");
- }
- return noAccessToken;
- }
-
- private String getToken(String testerEnvVar) throws Exception {
- log.info("Get {} credentials", testerEnvVar);
- String serviceAccountValue = System.getProperty(testerEnvVar, System.getenv(testerEnvVar));
- String audience = System.getProperty("INTEGRATION_TEST_AUDIENCE", System.getenv("INTEGRATION_TEST_AUDIENCE"));
- if (Strings.isNullOrEmpty(audience)) {
- audience = "245464679631-ktfdfpl147m1mjpbutl00b3cmffissgq.apps.googleusercontent.com";
- }
- String token = new GoogleServiceAccount(serviceAccountValue).getAuthToken(audience);
- return "Bearer " + token;
- }
+ private String getToken(String testerEnvVar) throws Exception {
+ String serviceAccountValue = System.getProperty(testerEnvVar, System.getenv(testerEnvVar));
+ String token = new GoogleServiceAccount(serviceAccountValue).getAuthToken();
+ return "Bearer " + token;
+ }
}
diff --git a/testing/notification-test-gcp/src/test/java/org/opengroup/osdu/notification/util/GoogleServiceAccount.java b/testing/notification-test-gcp/src/test/java/org/opengroup/osdu/notification/util/GoogleServiceAccount.java
index a7540b1a7..ecee84894 100644
--- a/testing/notification-test-gcp/src/test/java/org/opengroup/osdu/notification/util/GoogleServiceAccount.java
+++ b/testing/notification-test-gcp/src/test/java/org/opengroup/osdu/notification/util/GoogleServiceAccount.java
@@ -1,3 +1,20 @@
+/*
+ Copyright 2020-2023 Google LLC
+ Copyright 2020-2023 EPAM Systems, Inc
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+*/
+
package org.opengroup.osdu.notification.util;
import com.google.auth.oauth2.ServiceAccountCredentials;
@@ -21,63 +38,66 @@ import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.util.ArrayList;
-import java.util.Base64;
import java.util.HashMap;
import java.util.Map;
import static org.opengroup.osdu.config.util.DecodedContentExtractorUtil.NAIVE_JSON_CONTENT_ACCEPTANCE_TESTER;
public class GoogleServiceAccount {
- public GoogleServiceAccount(String serviceAccountValue)throws IOException {
- serviceAccountValue = new DecodedContentExtractor(serviceAccountValue, NAIVE_JSON_CONTENT_ACCEPTANCE_TESTER).getContent();
+ public GoogleServiceAccount(String serviceAccountValue) throws IOException {
+ serviceAccountValue =
+ new DecodedContentExtractor(serviceAccountValue, NAIVE_JSON_CONTENT_ACCEPTANCE_TESTER)
+ .getContent();
- try (InputStream inputStream = new ByteArrayInputStream(serviceAccountValue.getBytes())) {
- this.serviceAccount = ServiceAccountCredentials.fromStream(inputStream);
- }
+ try (InputStream inputStream = new ByteArrayInputStream(serviceAccountValue.getBytes())) {
+ this.serviceAccount = ServiceAccountCredentials.fromStream(inputStream);
}
+ }
- final ServiceAccountCredentials serviceAccount;
+ final ServiceAccountCredentials serviceAccount;
- public String getEmail(){
- return serviceAccount.getClientEmail();
- }
- public String getAuthToken(String audience) throws IOException {
- JwtBuilder jwtBuilder = Jwts.builder();
-
- Map<String, Object> header = new HashMap<>();
- header.put("type", "JWT");
- header.put("alg", "RS256");
- jwtBuilder.setHeader(header);
-
- Map<String, Object> claims = new HashMap<>();
- claims.put("target_audience", audience);
- claims.put("exp", System.currentTimeMillis() / 1000 + 3600);
- claims.put("iat", System.currentTimeMillis() / 1000);
- claims.put("iss", getEmail());
- claims.put("aud", "https://www.googleapis.com/oauth2/v4/token");
- jwtBuilder.addClaims(claims);
-
- jwtBuilder.signWith(SignatureAlgorithm.RS256, serviceAccount.getPrivateKey());
- String jwt = jwtBuilder.compact();
-
- HttpPost httpPost = new HttpPost("https://www.googleapis.com/oauth2/v4/token");
-
- ArrayList<NameValuePair> postParameters = new ArrayList<>();
- postParameters.add(new BasicNameValuePair("grant_type", "urn:ietf:params:oauth:grant-type:jwt-bearer"));
- postParameters.add(new BasicNameValuePair("assertion", jwt));
-
- HttpClient client = new DefaultHttpClient();
-
- httpPost.setEntity(new UrlEncodedFormEntity(postParameters, "UTF-8"));
- httpPost.setHeader("Content-Type", "application/x-www-form-urlencoded");
- HttpResponse response = client.execute(httpPost);
-
- String responseEntity = EntityUtils.toString(response.getEntity());
- JsonObject content = new JsonParser().parse(responseEntity).getAsJsonObject();
- JsonElement auth = content.get("id_token");
- if(auth == null){
- throw new IOException("Failed to retrieve auth token for credentials " + jwt);
- }
- return auth.getAsString();
+ public String getEmail() {
+ return serviceAccount.getClientEmail();
+ }
+
+ public String getAuthToken() throws IOException {
+ JwtBuilder jwtBuilder = Jwts.builder();
+
+ Map<String, Object> header = new HashMap<>();
+ header.put("type", "JWT");
+ header.put("alg", "RS256");
+ jwtBuilder.setHeader(header);
+
+ Map<String, Object> claims = new HashMap<>();
+ claims.put("target_audience", "osdu");
+ claims.put("exp", System.currentTimeMillis() / 1000 + 3600);
+ claims.put("iat", System.currentTimeMillis() / 1000);
+ claims.put("iss", getEmail());
+ claims.put("aud", "https://www.googleapis.com/oauth2/v4/token");
+ jwtBuilder.addClaims(claims);
+
+ jwtBuilder.signWith(SignatureAlgorithm.RS256, serviceAccount.getPrivateKey());
+ String jwt = jwtBuilder.compact();
+
+ HttpPost httpPost = new HttpPost("https://www.googleapis.com/oauth2/v4/token");
+
+ ArrayList<NameValuePair> postParameters = new ArrayList<>();
+ postParameters.add(
+ new BasicNameValuePair("grant_type", "urn:ietf:params:oauth:grant-type:jwt-bearer"));
+ postParameters.add(new BasicNameValuePair("assertion", jwt));
+
+ HttpClient client = new DefaultHttpClient();
+
+ httpPost.setEntity(new UrlEncodedFormEntity(postParameters, "UTF-8"));
+ httpPost.setHeader("Content-Type", "application/x-www-form-urlencoded");
+ HttpResponse response = client.execute(httpPost);
+
+ String responseEntity = EntityUtils.toString(response.getEntity());
+ JsonObject content = new JsonParser().parse(responseEntity).getAsJsonObject();
+ JsonElement auth = content.get("id_token");
+ if (auth == null) {
+ throw new IOException("Failed to retrieve auth token for credentials " + jwt);
}
+ return auth.getAsString();
+ }
}
--
GitLab