Merge branch 'gcp-auth-under-sa' into 'master'

Authentication for PartitionService to work under SA(GONRG-1843) See merge request !47

Merge branch 'gcp-auth-under-sa' into 'master'
Authentication for PartitionService to work under SA(GONRG-1843) See merge request !47
3188028c · Riabokon Stanislav(EPAM)[GCP] · b3e74933 · 358fa43a · 3188028c · 3188028c
Commit 3188028c authored May 05, 2021 by Riabokon Stanislav(EPAM)[GCP]
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -7,7 +7,7 @@ variables:
  AZURE_SERVICE: partition
  AZURE_BUILD_SUBDIR: provider/partition-azure
  AZURE_TEST_SUBDIR: testing/partition-test-azure
-  
+
  IBM_BUILD_SUBDIR: provider/partition-ibm
  IBM_INT_TEST_SUBDIR: testing/partition-test-ibm

@@ -15,7 +15,7 @@ variables:
  OSDU_GCP_SERVICE: partition
  OSDU_GCP_VENDOR: gcp
  OSDU_GCP_APPLICATION_NAME: os-partition
-  OSDU_GCP_ENV_VARS: AUTHORIZE_API=$OSDU_GCP_AUTHORIZE_API,GOOGLE_CLOUD_PROJECT=$OSDU_GCP_PROJECT
+  OSDU_GCP_ENV_VARS: AUTHORIZE_API=$OSDU_GCP_AUTHORIZE_API,GOOGLE_CLOUD_PROJECT=$OSDU_GCP_PROJECT,GOOGLE_AUDIENCES=$GOOGLE_AUDIENCE,PARTITION_ADMIN_ACCOUNT=$OSDU_GCP_SERVICE_ACCOUNT
  MAVEN_PROJECTS: "-pl partition-core,provider/partition-gcp"
  OSDU_GCP_TEST_SUBDIR: testing/$OSDU_GCP_SERVICE-test-$OSDU_GCP_VENDOR

@@ -32,19 +32,18 @@ include:
  - project: "osdu/platform/ci-cd-pipelines"
    file: "scanners/fossa-maven.yml"

-  - project: 'osdu/platform/ci-cd-pipelines'
-    file: 'cloud-providers/aws.yml'
+  - project: "osdu/platform/ci-cd-pipelines"
+    file: "cloud-providers/aws.yml"

  - project: "osdu/platform/ci-cd-pipelines"
    file: "cloud-providers/azure.yml"
-    
+
  - project: "osdu/platform/ci-cd-pipelines"
    file: "cloud-providers/ibm.yml"

  - project: "osdu/platform/ci-cd-pipelines"
-    file: 'cloud-providers/osdu-gcp-cloudrun.yml'
+    file: "cloud-providers/osdu-gcp-cloudrun.yml"

 osdu-gcp-test:
  variables:
    CLIENT_TENANT: osdu
-
--- a/provider/partition-gcp/README.md
+++ b/provider/partition-gcp/README.md
@@ -21,6 +21,8 @@ In order to run the service locally or remotely, you will need to have the follo
 | `SERVER_SERVLET_CONTEXPATH` | `/api/partition/v1` | Servlet context path | no | - |
 | `AUTHORIZE_API` | ex `https://entitlements.com/entitlements/v1` | Entitlements API endpoint | no | output of infrastructure deployment |
 | `GOOGLE_CLOUD_PROJECT` | ex `osdu-cicd-epam` | Google Cloud Project Id| no | output of infrastructure deployment |
+| `GOOGLE_AUDIENCES` | ex `*****.apps.googleusercontent.com` | Client ID for getting access to cloud resources | yes | https://console.cloud.google.com/apis/credentials |
+| `PARTITION_ADMIN_ACCOUNT` | ex `admin@domen.iam.gserviceaccount.com` | Partition Admin account email | no | - |
 | `GOOGLE_APPLICATION_CREDENTIALS` | ex `/path/to/directory/service-key.json` | Service account credentials, you only need this if running locally | yes | https://console.cloud.google.com/iam-admin/serviceaccounts |

 ### Run Locally
@@ -115,14 +117,9 @@ You will need to have the following environment variables defined.
 | `PARTITION_BASE_URL` | ex `http://localhost:8080/` | service base URL | yes |  |
 | `CLIENT_TENANT` | ex `opendes` | name of the client partition | yes |  |
 | `MY_TENANT` | ex `opendes` | name of the OSDU partition | yes |  |
-| `INTEGRATION_TESTER` | `********` | Service account for API calls. Note: this user must have entitlements configured already. Base64 encoded string | yes | https://console.cloud.google.com/iam-admin/serviceaccounts |
+| `INTEGRATION_TESTER` | `********` | Service account for API calls. Note: this user must be `PARTITION_ADMIN_ACCOUNT` | yes | https://console.cloud.google.com/iam-admin/serviceaccounts |
 | `NO_DATA_ACCESS_TESTER` | `********` | Service account base64 encoded string without data access | yes | https://console.cloud.google.com/iam-admin/serviceaccounts |
 | `INTEGRATION_TEST_AUDIENCE` | `********` | client application ID | yes | https://console.cloud.google.com/apis/credentials |
-**Entitlements configuration for integration accounts**
-
-| INTEGRATION_TESTER | NO_DATA_ACCESS_TESTER | 
-| ---  | ---   |
-| users<br/>service.entitlements.user<br/>service.partition.admin<br/>data.test1<br/>data.integration.test<br/>users@{tenant1}@{domain}.com | users <br/>service.entitlements.user<br/> |

 Execute following command to build code and run all the integration tests:


--- a/provider/partition-gcp/src/main/java/org/opengroup/osdu/partition/provider/gcp/config/PropertiesConfiguration.java
+++ b/provider/partition-gcp/src/main/java/org/opengroup/osdu/partition/provider/gcp/config/PropertiesConfiguration.java
@@ -28,9 +28,11 @@ import org.springframework.context.annotation.Configuration;
 @Setter
 public class PropertiesConfiguration {

-  private String authorizeApi;
+    private String googleAudiences;

-  private int cacheExpiration;
+    private String partitionAdminAccount;

-  private int cacheMaxSize;
+    private int cacheExpiration;
+
+    private int cacheMaxSize;
 }
--- a/provider/partition-gcp/src/main/java/org/opengroup/osdu/partition/provider/gcp/security/AuthorizationService.java
+++ b/provider/partition-gcp/src/main/java/org/opengroup/osdu/partition/provider/gcp/security/AuthorizationService.java
@@ -17,14 +17,19 @@

 package org.opengroup.osdu.partition.provider.gcp.security;

+import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
+import com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier;
+import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport;
+import com.google.api.client.json.jackson2.JacksonFactory;
+import java.util.Collections;
 import java.util.Objects;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
-import org.opengroup.osdu.core.common.model.entitlements.AuthorizationResponse;
+import org.apache.commons.lang3.StringUtils;
 import org.opengroup.osdu.core.common.model.http.AppException;
 import org.opengroup.osdu.core.common.model.http.DpsHeaders;
+import org.opengroup.osdu.partition.provider.gcp.config.PropertiesConfiguration;
 import org.opengroup.osdu.partition.provider.interfaces.IAuthorizationService;
-import org.springframework.http.HttpStatus;
 import org.springframework.stereotype.Component;
 import org.springframework.web.context.annotation.RequestScope;

@@ -34,23 +39,47 @@ import org.springframework.web.context.annotation.RequestScope;
 @RequiredArgsConstructor
 public class AuthorizationService implements IAuthorizationService {

-  private static final String PARTITION_ADMIN_ROLE = "service.partition.admin";
+    private final PropertiesConfiguration configuration;

-  private final DpsHeaders headers;
+    private final DpsHeaders headers;

-  private final org.opengroup.osdu.core.common.provider.interfaces.IAuthorizationService authorizationServiceImpl;
+    @Override
+    public boolean isDomainAdminServiceAccount() {
+        if (Objects.isNull(headers.getAuthorization()) || headers.getAuthorization().isEmpty()) {
+            throw AppException.createUnauthorized("No JWT token. Access is Forbidden");
+        }
+        try {
+            GoogleIdTokenVerifier verifier =
+                new GoogleIdTokenVerifier.Builder(
+                    GoogleNetHttpTransport.newTrustedTransport(),
+                    JacksonFactory.getDefaultInstance())
+                    .setAudience(Collections.singleton(configuration.getGoogleAudiences()))
+                    .build();

-  @Override
-  public boolean isDomainAdminServiceAccount() {
-    try {
-      AuthorizationResponse authorizationResponse = authorizationServiceImpl
-          .authorizeAny(headers, PARTITION_ADMIN_ROLE);
-    } catch (AppException e) {
-      throw e;
-    } catch (Exception e) {
-      throw new AppException(HttpStatus.INTERNAL_SERVER_ERROR.value(), "Authentication Failure",
-          e.getMessage(), e);
+            String authorization = headers.getAuthorization().replace("Bearer ", "");
+            GoogleIdToken googleIdToken = verifier.verify(authorization);
+            if (Objects.isNull(googleIdToken)) {
+                log.warn("Not valid token provided");
+                throw AppException.createUnauthorized("Unauthorized. The JWT token could not be validated");
+            }
+            String email = googleIdToken.getPayload().getEmail();
+            String partitionAdminAccount = configuration.getPartitionAdminAccount();
+            if (Objects.nonNull(partitionAdminAccount) && !partitionAdminAccount.isEmpty()) {
+                if (email.equals(partitionAdminAccount)) {
+                    return true;
+                } else {
+                    throw AppException.createUnauthorized("Unauthorized. The user is not Service Principal");
+                }
+            } else {
+                if (StringUtils.endsWithIgnoreCase(email, "gserviceaccount.com")) {
+                    return true;
+                } else {
+                    throw AppException.createUnauthorized("Unauthorized. The user is not Service Principal");
+                }
+            }
+        } catch (Exception e) {
+            log.warn("Not valid or expired token provided");
+            throw AppException.createUnauthorized("Unauthorized. The JWT token could not be validated");
+        }
    }
-    return true;
-  }
 }
--- a/provider/partition-gcp/src/main/java/org/opengroup/osdu/partition/provider/gcp/security/EntitlementsClientFactory.java
+++ b/provider/partition-gcp/src/main/java/org/opengroup/osdu/partition/provider/gcp/security/EntitlementsClientFactory.java
-/*
-  Copyright 2002-2021 Google LLC
-  Copyright 2002-2021 EPAM Systems, Inc
-
-  Licensed under the Apache License, Version 2.0 (the "License");
-  you may not use this file except in compliance with the License.
-  You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-  Unless required by applicable law or agreed to in writing, software
-  distributed under the License is distributed on an "AS IS" BASIS,
-  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-  See the License for the specific language governing permissions and
-  limitations under the License.
- */
-
-package org.opengroup.osdu.partition.provider.gcp.security;
-
-import lombok.RequiredArgsConstructor;
-
-import javax.inject.Inject;
-
-import org.opengroup.osdu.core.common.entitlements.EntitlementsAPIConfig;
-import org.opengroup.osdu.core.common.entitlements.EntitlementsFactory;
-import org.opengroup.osdu.core.common.entitlements.IEntitlementsFactory;
-import org.opengroup.osdu.core.common.http.json.HttpResponseBodyMapper;
-import org.opengroup.osdu.partition.provider.gcp.config.PropertiesConfiguration;
-import org.springframework.beans.factory.config.AbstractFactoryBean;
-import org.springframework.stereotype.Component;
-
-@Component
-@RequiredArgsConstructor
-public class EntitlementsClientFactory extends AbstractFactoryBean<IEntitlementsFactory> {
-
-  private final PropertiesConfiguration properties;
-
-  @Inject
-	private HttpResponseBodyMapper httpResponseBodyMapper;
-
-  @Override
-  protected IEntitlementsFactory createInstance() throws Exception {
-
-    return new EntitlementsFactory(EntitlementsAPIConfig
-        .builder()
-        .rootUrl(properties.getAuthorizeApi())
-        .build(),
-        httpResponseBodyMapper);
-  }
-
-  @Override
-  public Class<?> getObjectType() {
-    return IEntitlementsFactory.class;
-  }
-}
--- a/provider/partition-gcp/src/main/resources/application.properties
+++ b/provider/partition-gcp/src/main/resources/application.properties
@@ -17,6 +17,8 @@ kms-key=searchService
 KEY_RING=${key-ring}
 KMS_KEY=${kms-key}
 GOOGLE_CLOUD_PROJECT=${google-cloud-project}
+google-audiences=123.apps.googleusercontent.com
+partition-admin-account=admin@domen.iam.gserviceaccount.com

 #logging configuration
 logging.level.org.springframework.web=${LOG_LEVEL:DEBUG}