Commit 666bad62 authored by Komal Makkar's avatar Komal Makkar
Browse files

adding auth mechanism for pubsub request

parent 75472600
......@@ -87,6 +87,11 @@
<artifactId>notification-core</artifactId>
<version>1.0.0</version>
</dependency>
<dependency>
<groupId>com.auth0</groupId>
<artifactId>java-jwt</artifactId>
<version>3.3.0</version>
</dependency>
<!--
Override the spring-boot version of these dependencies to the ones
......
......@@ -40,6 +40,9 @@ public class AppProperties implements IAppProperties {
@Value("${aad.oboApi}")
private String aadOboAPI;
@Value("${aad.eventGridId}")
private String eventGridId;
@Autowired
private SecretClient secretClient;
......@@ -53,6 +56,10 @@ public class AppProperties implements IAppProperties {
return aadOboAPI;
}
public String getEventGridId() {
return eventGridId;
}
public String getAuthorizeAPI() {
return this.authorizeAPI;
}
......
......@@ -14,6 +14,9 @@
package org.opengroup.osdu.notification.provider.azure.util;
import com.auth0.jwt.JWT;
import com.auth0.jwt.interfaces.DecodedJWT;
import org.opengroup.osdu.core.common.logging.JaxRsDpsLog;
import org.opengroup.osdu.notification.provider.interfaces.IServiceAccountValidator;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
......@@ -21,21 +24,29 @@ import org.springframework.stereotype.Service;
@Service
public class AzureServiceAccountValidatorImpl implements IServiceAccountValidator {
private final static String APP_ID_CLAIM = "appid";
@Autowired
AppProperties appProperties;
@Autowired
JaxRsDpsLog logger;
@Override
public boolean isValidPublisherServiceAccount(String token) {
return isValidServiceAccount(token, this.appProperties.getAadClientID());
return isValidServiceAccount(token, this.appProperties.getEventGridId());
}
@Override
public boolean isValidServiceAccount(String token, String userIdentity, String... audiences) {
// TODO : find out if this will be required to authZ,
// when we are are authZ through Entitlement Service.
//
// Tracking through a issue.
DecodedJWT jwt = JWT.decode(token);
String appIdClaim = jwt.getClaim(APP_ID_CLAIM).asString();
if(appIdClaim!= null && appIdClaim.equals(userIdentity)) {
logger.info("PubSub authorized");
return true;
}
return false;
}
}
......@@ -44,17 +44,14 @@ public class ServiceAccountJwtAzureClientImpl implements IServiceAccountJwtClien
private IJwtCache tenantJwtCache;
public String getIdToken(String tenantName) {
TenantInfo tenant = this.tenantInfoServiceProvider.getTenantInfo(tenantName);
if (tenant == null) {
throw new AppException(HttpStatus.SC_BAD_REQUEST, "Invalid tenant Name", "Invalid tenant Name from azure");
}
String ACCESS_TOKEN = "";
ExecutorService service = null;
try {
// TODO : Refactor to move ID token form Common.Core.model.search to Common.core
IdToken cachedToken = (IdToken) this.tenantJwtCache.get(tenant.getName());
IdToken cachedToken = (IdToken) this.tenantJwtCache.get(tenantName);
if ((cachedToken != null) && !IdToken.refreshToken(cachedToken)) {
return "Bearer " + cachedToken.getTokenValue();
......@@ -65,7 +62,7 @@ public class ServiceAccountJwtAzureClientImpl implements IServiceAccountJwtClien
ACCESS_TOKEN = getAccessToken(service);
IdToken idToken = IdToken.builder().tokenValue(ACCESS_TOKEN).expirationTimeMillis(JWT.decode(ACCESS_TOKEN).getExpiresAt().getTime()).build();
this.tenantJwtCache.put(tenant.getName(), idToken);
this.tenantJwtCache.put(tenantName, idToken);
} finally {
if(service != null) {
service.shutdown();
......
......@@ -30,6 +30,7 @@ azure.activedirectory.session-stateless=true
aad.oboApi=${aad_client_id}
azure.application-insights.instrumentation-key=${appinsights_key}
aad.eventGridId=4962773b-9cdb-44cf-a8bf-237846a00ab7
# Azure CosmosDB configuration
azure.cosmosdb.database=${cosmosdb_database}
......
......@@ -14,6 +14,8 @@
package org.opengroup.osdu.notification.util;
import com.auth0.jwt.JWT;
import com.auth0.jwt.algorithms.Algorithm;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
......@@ -25,11 +27,13 @@ import org.mockito.junit.MockitoJUnitRunner;
import org.opengroup.osdu.notification.provider.azure.util.AppProperties;
import org.opengroup.osdu.notification.provider.azure.util.AzureServiceAccountValidatorImpl;
import java.io.UnsupportedEncodingException;
import static org.mockito.Mockito.when;
import static org.mockito.MockitoAnnotations.initMocks;
public class AzureServiceAccountValidatorImplTest {
private static String invalidAADClientID = "testInvalidAADClientID";
private static String eventGridId = "eventgridid";
private static String invalidJWT = "invalidJWT";
@Mock
......@@ -42,16 +46,19 @@ public class AzureServiceAccountValidatorImplTest {
@Before
public void setup() {
initMocks(this);
when(this.appProperties.getAadClientID()).thenReturn(invalidAADClientID);
when(this.appProperties.getEventGridId()).thenReturn(eventGridId);
}
@Test
public void should_returnFalse_isValidServiceAccount() {
public void should_returnFalse_isValidServiceAccount() throws UnsupportedEncodingException {
// Set Up
boolean expected = false;
Algorithm algorithm = Algorithm.HMAC256("secret");
String token = JWT.create()
.withIssuer("auth0")
.sign(algorithm);
// Act
boolean observed = this.sut.isValidPublisherServiceAccount(invalidJWT);
boolean observed = this.sut.isValidPublisherServiceAccount(token);
// Assert
Assert.assertEquals(expected, observed);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment