Implement service-to-service auth using client_credentials flow

commit 7f46cdb0 
Author: Rucha Deshpande <deshruch@amazon.com> 
Date: Thu Nov 19 2020 14:09:50 GMT-0600 (Central Standard Time) 

    Remove debug stms


commit df633a65 
Author: Rucha Deshpande <deshruch@amazon.com> 
Date: Thu Nov 19 2020 13:18:00 GMT-0600 (Central Standard Time) 

    Remove debug stmt


commit f110b5e0 
Author: Rucha Deshpande <deshruch@amazon.com> 
Date: Wed Nov 18 2020 14:42:07 GMT-0600 (Central Standard Time) 

    Merge remote-tracking branch 'remotes/origin/dev' into deshruch


commit d9b0d6bf 
Author: Rucha Deshpande <deshruch@amazon.com> 
Date: Wed Nov 18 2020 14:41:11 GMT-0600 (Central Standard Time) 

    update os-core-lib-ws release version


commit 179bc904 
Author: Rucha Deshpande <deshruch@amazon.com> 
Date: Tue Nov 17 2020 17:13:46 GMT-0600 (Central Standard Time) 

    update core-lib version


commit 6d2326de 
Author: Rucha Deshpande <deshruch@amazon.com> 
Date: Tue Nov 17 2020 16:49:13 GMT-0600 (Central Standard Time) 

    update core-lib version


commit 138ec563 
Author: Rucha Deshpande <deshruch@amazon.com> 
Date: Tue Nov 17 2020 15:48:18 GMT-0600 (Central Standard Time) 

    add debug stsms


commit d561a222 
Author: Rucha Deshpande <deshruch@amazon.com> 
Date: Tue Nov 17 2020 15:44:53 GMT-0600 (Central Standard Time) 

    Update os-core-lib-aws version


commit ab4445a8 
Author: Rucha Deshpande <deshruch@amazon.com> 
Date: Tue Nov 17 2020 12:51:21 GMT-0600 (Central Standard Time) 

    Use ServicePrincipal implementation from os-core-lib-aws


commit 4e382145 
Author: Rucha Deshpande <deshruch@amazon.com> 
Date: Tue Nov 17 2020 12:44:58 GMT-0600 (Central Standard Time) 

    Use release version of os-core-lib-aws


commit 755d743d 
Author: Rucha Deshpande <deshruch@amazon.com> 
Date: Tue Nov 17 2020 11:23:41 GMT-0600 (Central Standard Time) 

    Move ServicePrincipal code to os-core-lib-aws


commit ee6cb3a7 
Author: Rucha Deshpande <deshruch@amazon.com> 
Date: Mon Nov 16 2020 17:08:01 GMT-0600 (Central Standard Time) 

    Remove debug stmts


commit 4ad50766 
Author: Rucha Deshpande <deshruch@amazon.com> 
Date: Mon Nov 16 2020 12:26:29 GMT-0600 (Central Standard Time) 

    oauth client credentials


commit 87ef11e7 
Author: Rucha Deshpande <deshruch@amazon.com> 
Date: Mon Nov 16 2020 11:19:55 GMT-0600 (Central Standard Time) 

    update core -lib and add debug stsms


commit d34e4028 
Author: Rucha Deshpande <deshruch@amazon.com> 
Date: Fri Nov 13 2020 16:53:03 GMT-0600 (Central Standard Time) 

    update core-lib version


commit 8360d0d5 
Author: Rucha Deshpande <deshruch@amazon.com> 
Date: Fri Nov 13 2020 15:48:08 GMT-0600 (Central Standard Time) 

    using test os-ore-lib


commit 9fbb6227 
Author: Rucha Deshpande <deshruch@amazon.com> 
Date: Fri Nov 13 2020 10:58:03 GMT-0600 (Central Standard Time) 

    Bug fix: add custom scope as env. var


commit 71e207d5 
Author: Rucha Deshpande <deshruch@amazon.com> 
Date: Thu Nov 12 2020 16:07:30 GMT-0600 (Central Standard Time) 

    Bug Fix: Update SSM parameter retrieval


commit d9459e9e 
Author: Rucha Deshpande <deshruch@amazon.com> 
Date: Thu Nov 12 2020 15:55:32 GMT-0600 (Central Standard Time) 

    Use client credetials flow to get access token

provider/notification-aws/pom.xml

@@ -50,7 +50,7 @@
         <dependency>
             <groupId>org.opengroup.osdu.core.aws</groupId>
             <artifactId>os-core-lib-aws</artifactId>
-            <version>0.3.11</version>
+            <version>0.3.13</version>
         </dependency>
 
         <!-- https://mvnrepository.com/artifact/com.amazonaws/aws-java-sdk-secretsmanager -->

provider/notification-aws/src/main/java/org/opengroup/osdu/notification/provider/aws/impl/ServiceAccountJwtAwsClientImpl.java

@@ -12,36 +12,26 @@
 // limitations under the License.
 package org.opengroup.osdu.notification.provider.aws.impl;
 
+
 import com.amazonaws.auth.AWSCredentialsProvider;
-import com.amazonaws.services.secretsmanager.AWSSecretsManager;
-import com.amazonaws.services.secretsmanager.AWSSecretsManagerClientBuilder;
-import com.amazonaws.services.secretsmanager.model.*;
 import com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagement;
 import com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagementClientBuilder;
-import com.amazonaws.services.simplesystemsmanagement.model.*;
-import com.fasterxml.jackson.core.JsonParseException;
-import com.fasterxml.jackson.databind.JsonMappingException;
-import com.fasterxml.jackson.databind.ObjectMapper;
+import com.amazonaws.services.simplesystemsmanagement.model.GetParameterRequest;
+import com.amazonaws.services.simplesystemsmanagement.model.GetParameterResult;
+import com.amazonaws.services.simplesystemsmanagement.model.Parameter;
 import lombok.AccessLevel;
 import lombok.Getter;
 import lombok.Setter;
 
+import org.opengroup.osdu.core.aws.entitlements.ServicePrincipal;
 import org.opengroup.osdu.core.aws.iam.IAMConfig;
-import org.opengroup.osdu.core.common.logging.JaxRsDpsLog;
+import org.opengroup.osdu.core.aws.secrets.SecretsManager;
 import org.opengroup.osdu.core.common.util.IServiceAccountJwtClient;
-import org.opengroup.osdu.notification.provider.aws.utils.AwsCognitoClient;
-import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Component;
 
 import javax.annotation.PostConstruct;
 
-import java.io.IOException;
-
-import java.util.ArrayList;
-
-import java.util.List;
-import java.util.Map;
 
 @Component
 public class ServiceAccountJwtAwsClientImpl implements IServiceAccountJwtClient {
@@ -66,14 +56,20 @@ public class ServiceAccountJwtAwsClientImpl implements IServiceAccountJwtClient
     public String environment;
 
 
-    @Autowired
-    private JaxRsDpsLog log;
+    @Value("${aws.tokenUrl}")
+    @Getter()
+    public String tokenUrl;
+
+    @Value("${aws.oauth.custom.scope}")
+    @Getter()
+    private String awsOauthCustomScope;
+
+
+
+    String client_credentials_secret;
+    String client_credentials_clientid;
+    ServicePrincipal sp;
 
-    String password;
-    String clientid;
-    String userpoolid;
-    String serviceprincipaluser;
-    AwsCognitoClient cognitoClient;
 
     private AWSCredentialsProvider amazonAWSCredentials;
     private AWSSimpleSystemsManagement ssmManager;
@@ -81,132 +77,35 @@ public class ServiceAccountJwtAwsClientImpl implements IServiceAccountJwtClient
     @PostConstruct
     public void init() {
         if (ssmEnabled) {
-            String secretKey = "service_principal_password";
-            String secretName = "/osdu/" + environment + "/service_principal_password";
-            String cognito_user_pool_id = "/osdu/" + environment + "/cognito-user-pool-id";
-            String cognito_client_id = "/osdu/" + environment + "/cognito-client-id";
-            String service_principal = "/osdu/" + environment + "/service-principal-user";
+
+            SecretsManager sm = new SecretsManager();
+            sp = new ServicePrincipal(amazonRegion,environment,tokenUrl,awsOauthCustomScope);
+
+            String client_credentials_client_id = "/osdu/" + environment + "/client-credentials-client-id";
+            String client_secret_key = "client_credentials_client_secret";
+            String client_secret_secretName = "/osdu/" + environment + "/client_credentials_secret";
+
             amazonAWSCredentials = IAMConfig.amazonAWSCredentials();
             ssmManager = AWSSimpleSystemsManagementClientBuilder.standard()
                     .withCredentials(amazonAWSCredentials)
                     .withRegion(amazonRegion)
                     .build();
 
-            GetParametersRequest paramRequest = new GetParametersRequest()
-                    .withNames(cognito_user_pool_id,cognito_client_id,service_principal)
+            GetParameterRequest paramRequest = new GetParameterRequest()
+                    .withName(client_credentials_client_id)
                     .withWithDecryption(true);
-            GetParametersResult paramResult = new GetParametersResult();
-            paramResult = ssmManager.getParameters(paramRequest);
-            List<Parameter> paramsResultList = new ArrayList<>();
-            List<String> paramsResultListInvalid = new ArrayList<>();
-            paramsResultList = paramResult.getParameters();
-            paramsResultListInvalid = paramResult.getInvalidParameters();
-
-            if(paramsResultListInvalid.size() >0)
-            {
-                log.error("SSM did not retrieve all parameters");
-            }
-            for (Parameter s : paramsResultList) {
-                if (s.getName().equalsIgnoreCase(cognito_user_pool_id)) {
-                    userpoolid = s.getValue();
-                }
-                if (s.getName().equalsIgnoreCase(cognito_client_id)) {
-                    clientid = s.getValue();
-                }
-                if (s.getName().equalsIgnoreCase(service_principal)) {
-                    serviceprincipaluser = s.getValue();
-                }
-
-            }
-
-            password = getSecret(secretName,amazonRegion,secretKey);
-             cognitoClient = new AwsCognitoClient(amazonRegion,clientid,"USER_PASSWORD_AUTH", serviceprincipaluser,password);
-             cognitoClient.setPassword(serviceprincipaluser,password,userpoolid);
+            GetParameterResult paramResult = ssmManager.getParameter(paramRequest);
+            Parameter paramsResult = paramResult.getParameter();
+            client_credentials_clientid = paramsResult.getValue();
+            client_credentials_secret = sm.getSecret(client_secret_secretName,amazonRegion,client_secret_key);
+
         }
     }
 
     @Override
     public String getIdToken(String s) {
-
-        String token=  getServicePrincipalCredentials();
+        String token=  sp.getServicePrincipalAccessToken(client_credentials_clientid,client_credentials_secret);
         return token;
-
-    }
-
-    public  String getServicePrincipalCredentials()
-    {
-
-        String token = cognitoClient.getToken(serviceprincipaluser,password,"bearer");
-        return token;
-
-    }
-
-    public  String getSecret(String secretName, String region,String secretKey) {
-
-
-String secretVaue="";
-        // Create a Secrets Manager client
-        AWSSecretsManager client  = AWSSecretsManagerClientBuilder.standard()
-                .withRegion(region)
-                .build();
-
-        String secret="", decodedBinarySecret="";
-        GetSecretValueRequest getSecretValueRequest = new GetSecretValueRequest()
-                .withSecretId(secretName);
-        GetSecretValueResult getSecretValueResult = null;
-
-        try {
-            getSecretValueResult = client.getSecretValue(getSecretValueRequest);
-        } catch (DecryptionFailureException e) {
-            // Secrets Manager can't decrypt the protected secret text using the provided KMS key.
-            // Deal with the exception here, and/or rethrow at your discretion.
-            log.error("Error while setting up ServicePrincipalAccount"+e.getMessage());
-            throw e;
-        } catch (InternalServiceErrorException e) {
-            // An error occurred on the server side.
-            // Deal with the exception here, and/or rethrow at your discretion.
-            log.error("Error while setting up ServicePrincipalAccount"+e.getMessage());
-            throw e;
-        } catch (InvalidParameterException e) {
-            // You provided an invalid value for a parameter.
-            // Deal with the exception here, and/or rethrow at your discretion.
-            log.error("Error while setting up ServicePrincipalAccount"+e.getMessage());
-            throw e;
-        } catch (InvalidRequestException e) {
-            // You provided a parameter value that is not valid for the current state of the resource.
-            // Deal with the exception here, and/or rethrow at your discretion.
-            log.error("Error while setting up ServicePrincipalAccount"+e.getMessage());
-            throw e;
-        } catch (ResourceNotFoundException e) {
-            // We can't find the resource that you asked for.
-            // Deal with the exception here, and/or rethrow at your discretion.
-            log.error("Error while setting up ServicePrincipalAccount"+e.getMessage());
-            throw e;
-        }
-
-        // Decrypts secret using the associated KMS CMK.
-        // Depending on whether the secret is a string or binary, one of these fields will be populated.
-        if (getSecretValueResult.getSecretString() != null) {
-            secret = getSecretValueResult.getSecretString();
-            Map<String, String> secretMap=null;
-
-            try
-            {
-                secretMap = new ObjectMapper().readValue(secret.getBytes(), Map.class);
-
-            } catch (JsonParseException e) {
-                log.error(e.getMessage());
-            } catch (JsonMappingException e) {
-                log.error(e.getMessage());
-            } catch (IOException e) {
-                log.error(e.getMessage());
-            }
-
-             secretVaue = secretMap.get(secretKey);
-        }
-
-
-        return secretVaue;
     }
 
 

provider/notification-aws/src/main/resources/application.properties

@@ -28,7 +28,8 @@ aws.region=${AWS_REGION}
 aws.dynamodb.table.prefix=${RESOURCE_PREFIX}-
 aws.dynamodb.endpoint=dynamodb.${AWS_REGION}.amazonaws.com
 
-
+aws.tokenUrl=${OAUTH_TOKEN_URL}
+aws.oauth.custom.scope=${OAUTH_CUSTOM_SCOPE}
 app.expireTime=300
 app.maxCacheSize=10
 

testing/notification-test-aws/pom.xml

@@ -38,14 +38,13 @@
         <java.version>8</java.version>
         <maven.compiler.target>${java.version}</maven.compiler.target>
         <maven.compiler.source>${java.version}</maven.compiler.source>
-        <os-core-lib-aws.version>0.3.11</os-core-lib-aws.version>
     </properties>
 
     <dependencies>
         <dependency>
             <groupId>org.opengroup.osdu.core.aws</groupId>
             <artifactId>os-core-lib-aws</artifactId>
-            <version>0.3.11</version>
+            <version>0.3.13</version>
         </dependency>
         <dependency>
             <groupId>com.amazonaws</groupId>