From 5431b20714bc315ee7bf5bd005780cdd9a1ec29b Mon Sep 17 00:00:00 2001
From: Rucha Deshpande <deshruch@amazon.com>
Date: Thu, 19 Nov 2020 20:35:16 +0000
Subject: [PATCH] Implement service-to-service auth using client_credentials
flow
commit 7f46cdb0
Author: Rucha Deshpande <deshruch@amazon.com>
Date: Thu Nov 19 2020 14:09:50 GMT-0600 (Central Standard Time)
Remove debug stms
commit df633a65
Author: Rucha Deshpande <deshruch@amazon.com>
Date: Thu Nov 19 2020 13:18:00 GMT-0600 (Central Standard Time)
Remove debug stmt
commit f110b5e0
Author: Rucha Deshpande <deshruch@amazon.com>
Date: Wed Nov 18 2020 14:42:07 GMT-0600 (Central Standard Time)
Merge remote-tracking branch 'remotes/origin/dev' into deshruch
commit d9b0d6bf
Author: Rucha Deshpande <deshruch@amazon.com>
Date: Wed Nov 18 2020 14:41:11 GMT-0600 (Central Standard Time)
update os-core-lib-ws release version
commit 179bc904
Author: Rucha Deshpande <deshruch@amazon.com>
Date: Tue Nov 17 2020 17:13:46 GMT-0600 (Central Standard Time)
update core-lib version
commit 6d2326de
Author: Rucha Deshpande <deshruch@amazon.com>
Date: Tue Nov 17 2020 16:49:13 GMT-0600 (Central Standard Time)
update core-lib version
commit 138ec563
Author: Rucha Deshpande <deshruch@amazon.com>
Date: Tue Nov 17 2020 15:48:18 GMT-0600 (Central Standard Time)
add debug stsms
commit d561a222
Author: Rucha Deshpande <deshruch@amazon.com>
Date: Tue Nov 17 2020 15:44:53 GMT-0600 (Central Standard Time)
Update os-core-lib-aws version
commit ab4445a8
Author: Rucha Deshpande <deshruch@amazon.com>
Date: Tue Nov 17 2020 12:51:21 GMT-0600 (Central Standard Time)
Use ServicePrincipal implementation from os-core-lib-aws
commit 4e382145
Author: Rucha Deshpande <deshruch@amazon.com>
Date: Tue Nov 17 2020 12:44:58 GMT-0600 (Central Standard Time)
Use release version of os-core-lib-aws
commit 755d743d
Author: Rucha Deshpande <deshruch@amazon.com>
Date: Tue Nov 17 2020 11:23:41 GMT-0600 (Central Standard Time)
Move ServicePrincipal code to os-core-lib-aws
commit ee6cb3a7
Author: Rucha Deshpande <deshruch@amazon.com>
Date: Mon Nov 16 2020 17:08:01 GMT-0600 (Central Standard Time)
Remove debug stmts
commit 4ad50766
Author: Rucha Deshpande <deshruch@amazon.com>
Date: Mon Nov 16 2020 12:26:29 GMT-0600 (Central Standard Time)
oauth client credentials
commit 87ef11e7
Author: Rucha Deshpande <deshruch@amazon.com>
Date: Mon Nov 16 2020 11:19:55 GMT-0600 (Central Standard Time)
update core -lib and add debug stsms
commit d34e4028
Author: Rucha Deshpande <deshruch@amazon.com>
Date: Fri Nov 13 2020 16:53:03 GMT-0600 (Central Standard Time)
update core-lib version
commit 8360d0d5
Author: Rucha Deshpande <deshruch@amazon.com>
Date: Fri Nov 13 2020 15:48:08 GMT-0600 (Central Standard Time)
using test os-ore-lib
commit 9fbb6227
Author: Rucha Deshpande <deshruch@amazon.com>
Date: Fri Nov 13 2020 10:58:03 GMT-0600 (Central Standard Time)
Bug fix: add custom scope as env. var
commit 71e207d5
Author: Rucha Deshpande <deshruch@amazon.com>
Date: Thu Nov 12 2020 16:07:30 GMT-0600 (Central Standard Time)
Bug Fix: Update SSM parameter retrieval
commit d9459e9e
Author: Rucha Deshpande <deshruch@amazon.com>
Date: Thu Nov 12 2020 15:55:32 GMT-0600 (Central Standard Time)
Use client credetials flow to get access token
---
provider/notification-aws/pom.xml | 2 +-
.../impl/ServiceAccountJwtAwsClientImpl.java | 171 ++++--------------
.../src/main/resources/application.properties | 3 +-
testing/notification-test-aws/pom.xml | 3 +-
4 files changed, 39 insertions(+), 140 deletions(-)
diff --git a/provider/notification-aws/pom.xml b/provider/notification-aws/pom.xml
index 85ddaf9fc..19bd5d784 100644
--- a/provider/notification-aws/pom.xml
+++ b/provider/notification-aws/pom.xml
@@ -50,7 +50,7 @@
<dependency>
<groupId>org.opengroup.osdu.core.aws</groupId>
<artifactId>os-core-lib-aws</artifactId>
- <version>0.3.11</version>
+ <version>0.3.13</version>
</dependency>
<!-- https://mvnrepository.com/artifact/com.amazonaws/aws-java-sdk-secretsmanager -->
diff --git a/provider/notification-aws/src/main/java/org/opengroup/osdu/notification/provider/aws/impl/ServiceAccountJwtAwsClientImpl.java b/provider/notification-aws/src/main/java/org/opengroup/osdu/notification/provider/aws/impl/ServiceAccountJwtAwsClientImpl.java
index dcfbf42aa..02e2b91e7 100644
--- a/provider/notification-aws/src/main/java/org/opengroup/osdu/notification/provider/aws/impl/ServiceAccountJwtAwsClientImpl.java
+++ b/provider/notification-aws/src/main/java/org/opengroup/osdu/notification/provider/aws/impl/ServiceAccountJwtAwsClientImpl.java
@@ -12,36 +12,26 @@
// limitations under the License.
package org.opengroup.osdu.notification.provider.aws.impl;
+
import com.amazonaws.auth.AWSCredentialsProvider;
-import com.amazonaws.services.secretsmanager.AWSSecretsManager;
-import com.amazonaws.services.secretsmanager.AWSSecretsManagerClientBuilder;
-import com.amazonaws.services.secretsmanager.model.*;
import com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagement;
import com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagementClientBuilder;
-import com.amazonaws.services.simplesystemsmanagement.model.*;
-import com.fasterxml.jackson.core.JsonParseException;
-import com.fasterxml.jackson.databind.JsonMappingException;
-import com.fasterxml.jackson.databind.ObjectMapper;
+import com.amazonaws.services.simplesystemsmanagement.model.GetParameterRequest;
+import com.amazonaws.services.simplesystemsmanagement.model.GetParameterResult;
+import com.amazonaws.services.simplesystemsmanagement.model.Parameter;
import lombok.AccessLevel;
import lombok.Getter;
import lombok.Setter;
+import org.opengroup.osdu.core.aws.entitlements.ServicePrincipal;
import org.opengroup.osdu.core.aws.iam.IAMConfig;
-import org.opengroup.osdu.core.common.logging.JaxRsDpsLog;
+import org.opengroup.osdu.core.aws.secrets.SecretsManager;
import org.opengroup.osdu.core.common.util.IServiceAccountJwtClient;
-import org.opengroup.osdu.notification.provider.aws.utils.AwsCognitoClient;
-import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Component;
import javax.annotation.PostConstruct;
-import java.io.IOException;
-
-import java.util.ArrayList;
-
-import java.util.List;
-import java.util.Map;
@Component
public class ServiceAccountJwtAwsClientImpl implements IServiceAccountJwtClient {
@@ -66,14 +56,20 @@ public class ServiceAccountJwtAwsClientImpl implements IServiceAccountJwtClient
public String environment;
- @Autowired
- private JaxRsDpsLog log;
+ @Value("${aws.tokenUrl}")
+ @Getter()
+ public String tokenUrl;
+
+ @Value("${aws.oauth.custom.scope}")
+ @Getter()
+ private String awsOauthCustomScope;
+
+
+
+ String client_credentials_secret;
+ String client_credentials_clientid;
+ ServicePrincipal sp;
- String password;
- String clientid;
- String userpoolid;
- String serviceprincipaluser;
- AwsCognitoClient cognitoClient;
private AWSCredentialsProvider amazonAWSCredentials;
private AWSSimpleSystemsManagement ssmManager;
@@ -81,132 +77,35 @@ public class ServiceAccountJwtAwsClientImpl implements IServiceAccountJwtClient
@PostConstruct
public void init() {
if (ssmEnabled) {
- String secretKey = "service_principal_password";
- String secretName = "/osdu/" + environment + "/service_principal_password";
- String cognito_user_pool_id = "/osdu/" + environment + "/cognito-user-pool-id";
- String cognito_client_id = "/osdu/" + environment + "/cognito-client-id";
- String service_principal = "/osdu/" + environment + "/service-principal-user";
+
+ SecretsManager sm = new SecretsManager();
+ sp = new ServicePrincipal(amazonRegion,environment,tokenUrl,awsOauthCustomScope);
+
+ String client_credentials_client_id = "/osdu/" + environment + "/client-credentials-client-id";
+ String client_secret_key = "client_credentials_client_secret";
+ String client_secret_secretName = "/osdu/" + environment + "/client_credentials_secret";
+
amazonAWSCredentials = IAMConfig.amazonAWSCredentials();
ssmManager = AWSSimpleSystemsManagementClientBuilder.standard()
.withCredentials(amazonAWSCredentials)
.withRegion(amazonRegion)
.build();
- GetParametersRequest paramRequest = new GetParametersRequest()
- .withNames(cognito_user_pool_id,cognito_client_id,service_principal)
+ GetParameterRequest paramRequest = new GetParameterRequest()
+ .withName(client_credentials_client_id)
.withWithDecryption(true);
- GetParametersResult paramResult = new GetParametersResult();
- paramResult = ssmManager.getParameters(paramRequest);
- List<Parameter> paramsResultList = new ArrayList<>();
- List<String> paramsResultListInvalid = new ArrayList<>();
- paramsResultList = paramResult.getParameters();
- paramsResultListInvalid = paramResult.getInvalidParameters();
-
- if(paramsResultListInvalid.size() >0)
- {
- log.error("SSM did not retrieve all parameters");
- }
- for (Parameter s : paramsResultList) {
- if (s.getName().equalsIgnoreCase(cognito_user_pool_id)) {
- userpoolid = s.getValue();
- }
- if (s.getName().equalsIgnoreCase(cognito_client_id)) {
- clientid = s.getValue();
- }
- if (s.getName().equalsIgnoreCase(service_principal)) {
- serviceprincipaluser = s.getValue();
- }
-
- }
-
- password = getSecret(secretName,amazonRegion,secretKey);
- cognitoClient = new AwsCognitoClient(amazonRegion,clientid,"USER_PASSWORD_AUTH", serviceprincipaluser,password);
- cognitoClient.setPassword(serviceprincipaluser,password,userpoolid);
+ GetParameterResult paramResult = ssmManager.getParameter(paramRequest);
+ Parameter paramsResult = paramResult.getParameter();
+ client_credentials_clientid = paramsResult.getValue();
+ client_credentials_secret = sm.getSecret(client_secret_secretName,amazonRegion,client_secret_key);
+
}
}
@Override
public String getIdToken(String s) {
-
- String token= getServicePrincipalCredentials();
+ String token= sp.getServicePrincipalAccessToken(client_credentials_clientid,client_credentials_secret);
return token;
-
- }
-
- public String getServicePrincipalCredentials()
- {
-
- String token = cognitoClient.getToken(serviceprincipaluser,password,"bearer");
- return token;
-
- }
-
- public String getSecret(String secretName, String region,String secretKey) {
-
-
-String secretVaue="";
- // Create a Secrets Manager client
- AWSSecretsManager client = AWSSecretsManagerClientBuilder.standard()
- .withRegion(region)
- .build();
-
- String secret="", decodedBinarySecret="";
- GetSecretValueRequest getSecretValueRequest = new GetSecretValueRequest()
- .withSecretId(secretName);
- GetSecretValueResult getSecretValueResult = null;
-
- try {
- getSecretValueResult = client.getSecretValue(getSecretValueRequest);
- } catch (DecryptionFailureException e) {
- // Secrets Manager can't decrypt the protected secret text using the provided KMS key.
- // Deal with the exception here, and/or rethrow at your discretion.
- log.error("Error while setting up ServicePrincipalAccount"+e.getMessage());
- throw e;
- } catch (InternalServiceErrorException e) {
- // An error occurred on the server side.
- // Deal with the exception here, and/or rethrow at your discretion.
- log.error("Error while setting up ServicePrincipalAccount"+e.getMessage());
- throw e;
- } catch (InvalidParameterException e) {
- // You provided an invalid value for a parameter.
- // Deal with the exception here, and/or rethrow at your discretion.
- log.error("Error while setting up ServicePrincipalAccount"+e.getMessage());
- throw e;
- } catch (InvalidRequestException e) {
- // You provided a parameter value that is not valid for the current state of the resource.
- // Deal with the exception here, and/or rethrow at your discretion.
- log.error("Error while setting up ServicePrincipalAccount"+e.getMessage());
- throw e;
- } catch (ResourceNotFoundException e) {
- // We can't find the resource that you asked for.
- // Deal with the exception here, and/or rethrow at your discretion.
- log.error("Error while setting up ServicePrincipalAccount"+e.getMessage());
- throw e;
- }
-
- // Decrypts secret using the associated KMS CMK.
- // Depending on whether the secret is a string or binary, one of these fields will be populated.
- if (getSecretValueResult.getSecretString() != null) {
- secret = getSecretValueResult.getSecretString();
- Map<String, String> secretMap=null;
-
- try
- {
- secretMap = new ObjectMapper().readValue(secret.getBytes(), Map.class);
-
- } catch (JsonParseException e) {
- log.error(e.getMessage());
- } catch (JsonMappingException e) {
- log.error(e.getMessage());
- } catch (IOException e) {
- log.error(e.getMessage());
- }
-
- secretVaue = secretMap.get(secretKey);
- }
-
-
- return secretVaue;
}
diff --git a/provider/notification-aws/src/main/resources/application.properties b/provider/notification-aws/src/main/resources/application.properties
index 6412b3546..cfccbdec8 100644
--- a/provider/notification-aws/src/main/resources/application.properties
+++ b/provider/notification-aws/src/main/resources/application.properties
@@ -28,7 +28,8 @@ aws.region=${AWS_REGION}
aws.dynamodb.table.prefix=${RESOURCE_PREFIX}-
aws.dynamodb.endpoint=dynamodb.${AWS_REGION}.amazonaws.com
-
+aws.tokenUrl=${OAUTH_TOKEN_URL}
+aws.oauth.custom.scope=${OAUTH_CUSTOM_SCOPE}
app.expireTime=300
app.maxCacheSize=10
diff --git a/testing/notification-test-aws/pom.xml b/testing/notification-test-aws/pom.xml
index fa94003e2..806791ec1 100644
--- a/testing/notification-test-aws/pom.xml
+++ b/testing/notification-test-aws/pom.xml
@@ -38,14 +38,13 @@
<java.version>8</java.version>
<maven.compiler.target>${java.version}</maven.compiler.target>
<maven.compiler.source>${java.version}</maven.compiler.source>
- <os-core-lib-aws.version>0.3.11</os-core-lib-aws.version>
</properties>
<dependencies>
<dependency>
<groupId>org.opengroup.osdu.core.aws</groupId>
<artifactId>os-core-lib-aws</artifactId>
- <version>0.3.11</version>
+ <version>0.3.13</version>
</dependency>
<dependency>
<groupId>com.amazonaws</groupId>
--
GitLab