Commit 755d743d authored by Rucha Deshpande's avatar Rucha Deshpande
Browse files

Move ServicePrincipal code to os-core-lib-aws

parent ee6cb3a7
......@@ -50,7 +50,7 @@
<dependency>
<groupId>org.opengroup.osdu.core.aws</groupId>
<artifactId>os-core-lib-aws</artifactId>
<version>0.3.12-SNAPSHOT</version>
<version>0.3.12-deshruch-SNAPSHOT</version>
</dependency>
<!-- https://mvnrepository.com/artifact/com.amazonaws/aws-java-sdk-secretsmanager -->
......
......@@ -12,39 +12,15 @@
// limitations under the License.
package org.opengroup.osdu.notification.provider.aws.impl;
import com.amazonaws.auth.AWSCredentialsProvider;
import com.amazonaws.services.secretsmanager.AWSSecretsManager;
import com.amazonaws.services.secretsmanager.AWSSecretsManagerClientBuilder;
import com.amazonaws.services.secretsmanager.model.*;
import com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagement;
import com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagementClientBuilder;
import com.amazonaws.services.simplesystemsmanagement.model.*;
import com.fasterxml.jackson.core.JsonParseException;
import com.fasterxml.jackson.databind.JsonMappingException;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.google.gson.JsonSyntaxException;
import lombok.AccessLevel;
import lombok.Getter;
import lombok.Setter;
import org.opengroup.osdu.core.aws.entitlements.AccessToken;
import org.opengroup.osdu.core.aws.iam.IAMConfig;
import org.opengroup.osdu.core.common.http.HttpClient;
import org.opengroup.osdu.core.common.http.HttpRequest;
import org.opengroup.osdu.core.common.http.HttpResponse;
import org.opengroup.osdu.core.common.http.IHttpClient;
import org.opengroup.osdu.core.common.logging.JaxRsDpsLog;
import org.opengroup.osdu.core.common.model.entitlements.EntitlementsException;
import org.opengroup.osdu.core.common.util.IServiceAccountJwtClient;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Component;
import javax.annotation.PostConstruct;
import java.io.IOException;
import java.util.*;
@Component
public class ServiceAccountJwtAwsClientImpl implements IServiceAccountJwtClient {
......@@ -69,172 +45,14 @@ public class ServiceAccountJwtAwsClientImpl implements IServiceAccountJwtClient
public String environment;
@Value("${aws.tokenUrl}")
@Getter()
public String tokenUrl;
@Value("${aws.oauth.custom.scope}")
private String awsOauthCustomScope;
@Autowired
private JaxRsDpsLog log;
String client_credentials_secret;
String client_credentials_clientid;
private AWSCredentialsProvider amazonAWSCredentials;
private AWSSimpleSystemsManagement ssmManager;
@PostConstruct
public void init() {
if (ssmEnabled) {
String client_credentials_client_id = "/osdu/" + environment + "/client-credentials-client-id";
String client_secret_key = "client_credentials_client_secret";
String client_secret_secretName = "/osdu/" + environment + "/client_credentials_secret";
amazonAWSCredentials = IAMConfig.amazonAWSCredentials();
ssmManager = AWSSimpleSystemsManagementClientBuilder.standard()
.withCredentials(amazonAWSCredentials)
.withRegion(amazonRegion)
.build();
GetParameterRequest paramRequest = new GetParameterRequest()
.withName(client_credentials_client_id)
.withWithDecryption(true);
GetParameterResult paramResult = ssmManager.getParameter(paramRequest);
Parameter paramsResult = paramResult.getParameter();
client_credentials_clientid = paramsResult.getValue();
client_credentials_secret = getSecret(client_secret_secretName,amazonRegion,client_secret_key);
}
}
@Override
public String getIdToken(String s) {
String token= getServicePrincipalCredentials();
ServicePrincipal sp = new ServicePrincipal(amazonRegion,environment);
String token= sp.getServicePrincipalAccessToken();
return token;
}
public String getServicePrincipalCredentials()
{
String token=null;
Map<String,String> headers = new HashMap<>();
String authorizationHeaderContents=getEncodedAuthorization(client_credentials_clientid,client_credentials_secret);
headers.put("Authorization","Basic "+authorizationHeaderContents);
headers.put("Content-Type", "application/x-www-form-urlencoded");
IHttpClient httpClient = new HttpClient();
String url = tokenUrl+"?grant_type=client_credentials&client_id="+client_credentials_clientid+"&scope="+awsOauthCustomScope;
HttpRequest rq = HttpRequest.post().url(url).headers(headers).build();
HttpResponse result = httpClient.send(rq);
try {
AccessToken accessToken = this.getResult(result, AccessToken.class);
token = accessToken.getAccess_token();
}catch(Exception e)
{
System.out.println("Could not parse AccessToken result to get access_token");
}
return "Bearer "+token;
}
public String getSecret(String secretName, String region,String secretKey) {
String secretVaue="";
// Create a Secrets Manager client
AWSSecretsManager client = AWSSecretsManagerClientBuilder.standard()
.withRegion(region)
.build();
String secret="", decodedBinarySecret="";
GetSecretValueRequest getSecretValueRequest = new GetSecretValueRequest()
.withSecretId(secretName);
GetSecretValueResult getSecretValueResult = null;
try {
getSecretValueResult = client.getSecretValue(getSecretValueRequest);
} catch (DecryptionFailureException e) {
// Secrets Manager can't decrypt the protected secret text using the provided KMS key.
// Deal with the exception here, and/or rethrow at your discretion.
log.error("Error while setting up ServicePrincipalAccount"+e.getMessage());
throw e;
} catch (InternalServiceErrorException e) {
// An error occurred on the server side.
// Deal with the exception here, and/or rethrow at your discretion.
log.error("Error while setting up ServicePrincipalAccount"+e.getMessage());
throw e;
} catch (InvalidParameterException e) {
// You provided an invalid value for a parameter.
// Deal with the exception here, and/or rethrow at your discretion.
log.error("Error while setting up ServicePrincipalAccount"+e.getMessage());
throw e;
} catch (InvalidRequestException e) {
// You provided a parameter value that is not valid for the current state of the resource.
// Deal with the exception here, and/or rethrow at your discretion.
log.error("Error while setting up ServicePrincipalAccount"+e.getMessage());
throw e;
} catch (ResourceNotFoundException e) {
// We can't find the resource that you asked for.
// Deal with the exception here, and/or rethrow at your discretion.
log.error("Error while setting up ServicePrincipalAccount"+e.getMessage());
throw e;
}
// Decrypts secret using the associated KMS CMK.
// Depending on whether the secret is a string or binary, one of these fields will be populated.
if (getSecretValueResult.getSecretString() != null) {
secret = getSecretValueResult.getSecretString();
Map<String, String> secretMap=null;
try
{
secretMap = new ObjectMapper().readValue(secret.getBytes(), Map.class);
} catch (JsonParseException e) {
log.error(e.getMessage());
} catch (JsonMappingException e) {
log.error(e.getMessage());
} catch (IOException e) {
log.error(e.getMessage());
}
secretVaue = secretMap.get(secretKey);
}
return secretVaue;
}
public String getEncodedAuthorization(String clientID, String clientSecret)
{
String base64Auth = Base64.getEncoder().encodeToString((clientID+":"+ clientSecret).getBytes());
return base64Auth;
}
private <T> T getResult(HttpResponse result, Class<T> type) throws EntitlementsException {
if (result.isSuccessCode()) {
try {
return result.parseBody(type);
} catch (JsonSyntaxException e) {
throw new EntitlementsException("Error parsing response. Check the inner HttpResponse for more info.",
result);
}
} else {
throw this.generateEntitlementsException(result);
}
}
private EntitlementsException generateEntitlementsException(HttpResponse result) {
return new EntitlementsException(
"Could not generate accessToken in Notification Service with client_credentials flow.", result);
}
}
......@@ -44,7 +44,7 @@
<dependency>
<groupId>org.opengroup.osdu.core.aws</groupId>
<artifactId>os-core-lib-aws</artifactId>
<version>0.3.12-SNAPSHOT</version>
<version>0.3.12-deshruch-SNAPSHOT</version>
</dependency>
<dependency>
<groupId>com.amazonaws</groupId>
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment