Merge branch 'authentication_changes' into 'master'

Azure AuthZ and AuthN changes See merge request !14

Merge branch 'authentication_changes' into 'master'
85e1d964 · Hema Vishnu Pola [Microsoft] · 19677ab8 · ed480014 · 85e1d964 · 85e1d964
Commit 85e1d964 authored 4 years ago by Hema Vishnu Pola [Microsoft]
--- a/provider/notification-azure/pom.xml
+++ b/provider/notification-azure/pom.xml
@@ -19,7 +19,6 @@
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
-    <groupId>org.opengroup.osdu</groupId>
    <artifactId>notification-azure</artifactId>
    <version>1.0.0</version>
    <name>notification-azure</name>
@@ -142,6 +141,11 @@
            <version>3.0.0</version>
            <scope>test</scope>
        </dependency>
+        <dependency>
+            <groupId>com.auth0</groupId>
+            <artifactId>jwks-rsa</artifactId>
+            <version>0.11.0</version>
+        </dependency>
    </dependencies>

    <build>

--- a/provider/notification-azure/src/main/java/org/opengroup/osdu/notification/provider/azure/security/SecurityConfig.java
+++ b/provider/notification-azure/src/main/java/org/opengroup/osdu/notification/provider/azure/security/SecurityConfig.java
@@ -15,23 +15,36 @@
 package org.opengroup.osdu.notification.provider.azure.security;

 import com.microsoft.azure.spring.autoconfigure.aad.AADAppRoleStatelessAuthenticationFilter;
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;

-import javax.inject.Inject;
-
 @Configuration
 @EnableGlobalMethodSecurity(prePostEnabled = true)
 public class SecurityConfig extends WebSecurityConfigurerAdapter {

+    @Autowired
+    private AADAppRoleStatelessAuthenticationFilter appRoleAuthFilter;
+
    @Override
    protected void configure(HttpSecurity httpSecurity) throws Exception {
-        // TODO : Add antMatchers after Swagger changes merge
-        // TODO : Add the authZ
        httpSecurity
-                .csrf().disable();
+                .csrf().disable()
+                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER)
+                .and()
+                .authorizeRequests()
+                .antMatchers("/",
+                        "/swagger",
+                        "/v2/api-docs",
+                        "/swagger-resources/**",
+                        "/swagger-ui.html",
+                        "/webjars/**").permitAll()
+                .anyRequest().authenticated()
+                .and()
+                .addFilterBefore(appRoleAuthFilter, UsernamePasswordAuthenticationFilter.class);
    }
 }
--- a/provider/notification-azure/src/main/java/org/opengroup/osdu/notification/provider/azure/util/AzureServiceAccountValidatorImpl.java
+++ b/provider/notification-azure/src/main/java/org/opengroup/osdu/notification/provider/azure/util/AzureServiceAccountValidatorImpl.java
@@ -14,27 +14,31 @@

 package org.opengroup.osdu.notification.provider.azure.util;

+import com.auth0.jwt.JWT;
+import com.auth0.jwt.interfaces.DecodedJWT;
 import org.opengroup.osdu.notification.provider.interfaces.IServiceAccountValidator;
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;
+import org.springframework.stereotype.Service;

-@Component
+@Service
 public class AzureServiceAccountValidatorImpl implements IServiceAccountValidator {

+    @Autowired
+    AppProperties appProperties;
+
    @Override
-    public boolean isValidPublisherServiceAccount(String jwt) {
-        // TODO : Implement the service account verification for PubSub Role
-        // TODO : Also check the need and means to verify the other Roles.
+    public boolean isValidPublisherServiceAccount(String token) {
+        return isValidServiceAccount(token, this.appProperties.getAadClientID());

-        // Marking it to return true, for the integration tests.
-        return true;
    }

    @Override
-    public boolean isValidServiceAccount(String jwt, String userIdentity, String... audiences) {
-        // TODO : Implement the service account verification for PubSub Role
-        // TODO : Also check the need and means to verify the other Roles.
-
-        // Marking it to return true, for the integration tests.
-        return true;
+    public boolean isValidServiceAccount(String token, String userIdentity, String... audiences) {
+        // TODO : find out if this will be required to authZ,
+        //  when we are are authZ through Entitlement Service.
+        //
+        // Tracking through a issue.
+        return false;
    }
 }
--- a/provider/notification-azure/src/test/java/org/opengroup/osdu/notification/util/AzureServiceAccountValidatorImplTest.java
+++ b/provider/notification-azure/src/test/java/org/opengroup/osdu/notification/util/AzureServiceAccountValidatorImplTest.java
+// Copyright © Microsoft Corporation
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package org.opengroup.osdu.notification.util;
+
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.InjectMocks;
+import org.mockito.Mock;
+import org.mockito.Spy;
+import org.mockito.junit.MockitoJUnitRunner;
+import org.opengroup.osdu.notification.provider.azure.util.AppProperties;
+import org.opengroup.osdu.notification.provider.azure.util.AzureServiceAccountValidatorImpl;
+
+import static org.mockito.Mockito.when;
+
+@RunWith(MockitoJUnitRunner.class)
+public class AzureServiceAccountValidatorImplTest {
+    private static String invalidAADClientID = "testInvalidAADClientID";
+    private static String invalidJWT = "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJkdW1teUBkdW1teS5jb20iLCJpc3MiOiJkdW1teUBkdW1teS5jb20iLCJhdWQiOiJkdW1teS5kdW1teS5jb20iLCJpYXQiOjE1NTYxMzcyNzMsImV4cCI6MTU1NjIzMDk3OSwicHJvdmlkZXIiOiJkdW1teS5jb20iLCJjbGllbnQiOiJkdW1teS5jb20iLCJ1c2VyaWQiOiJkdW1teXRlc3Rlci5jb20iLCJlbWFpbCI6ImR1bW15dGVzdGVyLmNvbSIsImF1dGh6IjoiIiwibGFzdG5hbWUiOiJkdW1teSIsImZpcnN0bmFtZSI6ImR1bW15IiwiY291bnRyeSI6IiIsImNvbXBhbnkiOiIiLCJqb2J0aXRsZSI6IiIsInN1YmlkIjoiZHVtbXlpZCIsImlkcCI6ImR1bW15IiwiaGQiOiJkdW1teS5jb20iLCJkZXNpZCI6ImR1bW15aWQiLCJjb250YWN0X2VtYWlsIjoiZHVtbXlAZHVtbXkuY29tIiwianRpIjoiNGEyMWYyYzItZjU5Yy00NWZhLTk0MTAtNDNkNDdhMTg4ODgwIn0.nkiyKtfXXxAlC60iDjXuB2EAGDfZiVglP-CyU1T4etc";
+
+    @Mock
+    private AppProperties appProperties;
+
+    @InjectMocks
+    @Spy
+    private AzureServiceAccountValidatorImpl sut;
+
+    @Before
+    public void setup() {
+        when(this.appProperties.getAadClientID()).thenReturn(this.invalidAADClientID);
+    }
+
+    @Test
+    public void should_returnFalse_isValidServiceAccount() {
+        // Set Up
+        boolean expected = false;
+
+        // Act
+        boolean observed = this.sut.isValidPublisherServiceAccount(invalidJWT);
+
+        // Assert
+        Assert.assertEquals(expected, observed);
+    }
+}