Commit 3188028c authored by Riabokon Stanislav(EPAM)[GCP]'s avatar Riabokon Stanislav(EPAM)[GCP]
Browse files

Merge branch 'gcp-auth-under-sa' into 'master'

Authentication for PartitionService to work under SA(GONRG-1843)

See merge request !47
parents b3e74933 358fa43a
Pipeline #38665 failed with stages
in 26 minutes and 1 second
......@@ -7,7 +7,7 @@ variables:
AZURE_SERVICE: partition
AZURE_BUILD_SUBDIR: provider/partition-azure
AZURE_TEST_SUBDIR: testing/partition-test-azure
IBM_BUILD_SUBDIR: provider/partition-ibm
IBM_INT_TEST_SUBDIR: testing/partition-test-ibm
......@@ -15,7 +15,7 @@ variables:
OSDU_GCP_SERVICE: partition
OSDU_GCP_VENDOR: gcp
OSDU_GCP_APPLICATION_NAME: os-partition
OSDU_GCP_ENV_VARS: AUTHORIZE_API=$OSDU_GCP_AUTHORIZE_API,GOOGLE_CLOUD_PROJECT=$OSDU_GCP_PROJECT
OSDU_GCP_ENV_VARS: AUTHORIZE_API=$OSDU_GCP_AUTHORIZE_API,GOOGLE_CLOUD_PROJECT=$OSDU_GCP_PROJECT,GOOGLE_AUDIENCES=$GOOGLE_AUDIENCE,PARTITION_ADMIN_ACCOUNT=$OSDU_GCP_SERVICE_ACCOUNT
MAVEN_PROJECTS: "-pl partition-core,provider/partition-gcp"
OSDU_GCP_TEST_SUBDIR: testing/$OSDU_GCP_SERVICE-test-$OSDU_GCP_VENDOR
......@@ -32,19 +32,18 @@ include:
- project: "osdu/platform/ci-cd-pipelines"
file: "scanners/fossa-maven.yml"
- project: 'osdu/platform/ci-cd-pipelines'
file: 'cloud-providers/aws.yml'
- project: "osdu/platform/ci-cd-pipelines"
file: "cloud-providers/aws.yml"
- project: "osdu/platform/ci-cd-pipelines"
file: "cloud-providers/azure.yml"
- project: "osdu/platform/ci-cd-pipelines"
file: "cloud-providers/ibm.yml"
- project: "osdu/platform/ci-cd-pipelines"
file: 'cloud-providers/osdu-gcp-cloudrun.yml'
file: "cloud-providers/osdu-gcp-cloudrun.yml"
osdu-gcp-test:
variables:
CLIENT_TENANT: osdu
......@@ -21,6 +21,8 @@ In order to run the service locally or remotely, you will need to have the follo
| `SERVER_SERVLET_CONTEXPATH` | `/api/partition/v1` | Servlet context path | no | - |
| `AUTHORIZE_API` | ex `https://entitlements.com/entitlements/v1` | Entitlements API endpoint | no | output of infrastructure deployment |
| `GOOGLE_CLOUD_PROJECT` | ex `osdu-cicd-epam` | Google Cloud Project Id| no | output of infrastructure deployment |
| `GOOGLE_AUDIENCES` | ex `*****.apps.googleusercontent.com` | Client ID for getting access to cloud resources | yes | https://console.cloud.google.com/apis/credentials |
| `PARTITION_ADMIN_ACCOUNT` | ex `admin@domen.iam.gserviceaccount.com` | Partition Admin account email | no | - |
| `GOOGLE_APPLICATION_CREDENTIALS` | ex `/path/to/directory/service-key.json` | Service account credentials, you only need this if running locally | yes | https://console.cloud.google.com/iam-admin/serviceaccounts |
### Run Locally
......@@ -115,14 +117,9 @@ You will need to have the following environment variables defined.
| `PARTITION_BASE_URL` | ex `http://localhost:8080/` | service base URL | yes | |
| `CLIENT_TENANT` | ex `opendes` | name of the client partition | yes | |
| `MY_TENANT` | ex `opendes` | name of the OSDU partition | yes | |
| `INTEGRATION_TESTER` | `********` | Service account for API calls. Note: this user must have entitlements configured already. Base64 encoded string | yes | https://console.cloud.google.com/iam-admin/serviceaccounts |
| `INTEGRATION_TESTER` | `********` | Service account for API calls. Note: this user must be `PARTITION_ADMIN_ACCOUNT` | yes | https://console.cloud.google.com/iam-admin/serviceaccounts |
| `NO_DATA_ACCESS_TESTER` | `********` | Service account base64 encoded string without data access | yes | https://console.cloud.google.com/iam-admin/serviceaccounts |
| `INTEGRATION_TEST_AUDIENCE` | `********` | client application ID | yes | https://console.cloud.google.com/apis/credentials |
**Entitlements configuration for integration accounts**
| INTEGRATION_TESTER | NO_DATA_ACCESS_TESTER |
| --- | --- |
| users<br/>service.entitlements.user<br/>service.partition.admin<br/>data.test1<br/>data.integration.test<br/>users@{tenant1}@{domain}.com | users <br/>service.entitlements.user<br/> |
Execute following command to build code and run all the integration tests:
......
......@@ -28,9 +28,11 @@ import org.springframework.context.annotation.Configuration;
@Setter
public class PropertiesConfiguration {
private String authorizeApi;
private String googleAudiences;
private int cacheExpiration;
private String partitionAdminAccount;
private int cacheMaxSize;
private int cacheExpiration;
private int cacheMaxSize;
}
......@@ -17,14 +17,19 @@
package org.opengroup.osdu.partition.provider.gcp.security;
import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
import com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier;
import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport;
import com.google.api.client.json.jackson2.JacksonFactory;
import java.util.Collections;
import java.util.Objects;
import lombok.RequiredArgsConstructor;
import lombok.extern.slf4j.Slf4j;
import org.opengroup.osdu.core.common.model.entitlements.AuthorizationResponse;
import org.apache.commons.lang3.StringUtils;
import org.opengroup.osdu.core.common.model.http.AppException;
import org.opengroup.osdu.core.common.model.http.DpsHeaders;
import org.opengroup.osdu.partition.provider.gcp.config.PropertiesConfiguration;
import org.opengroup.osdu.partition.provider.interfaces.IAuthorizationService;
import org.springframework.http.HttpStatus;
import org.springframework.stereotype.Component;
import org.springframework.web.context.annotation.RequestScope;
......@@ -34,23 +39,47 @@ import org.springframework.web.context.annotation.RequestScope;
@RequiredArgsConstructor
public class AuthorizationService implements IAuthorizationService {
private static final String PARTITION_ADMIN_ROLE = "service.partition.admin";
private final PropertiesConfiguration configuration;
private final DpsHeaders headers;
private final DpsHeaders headers;
private final org.opengroup.osdu.core.common.provider.interfaces.IAuthorizationService authorizationServiceImpl;
@Override
public boolean isDomainAdminServiceAccount() {
if (Objects.isNull(headers.getAuthorization()) || headers.getAuthorization().isEmpty()) {
throw AppException.createUnauthorized("No JWT token. Access is Forbidden");
}
try {
GoogleIdTokenVerifier verifier =
new GoogleIdTokenVerifier.Builder(
GoogleNetHttpTransport.newTrustedTransport(),
JacksonFactory.getDefaultInstance())
.setAudience(Collections.singleton(configuration.getGoogleAudiences()))
.build();
@Override
public boolean isDomainAdminServiceAccount() {
try {
AuthorizationResponse authorizationResponse = authorizationServiceImpl
.authorizeAny(headers, PARTITION_ADMIN_ROLE);
} catch (AppException e) {
throw e;
} catch (Exception e) {
throw new AppException(HttpStatus.INTERNAL_SERVER_ERROR.value(), "Authentication Failure",
e.getMessage(), e);
String authorization = headers.getAuthorization().replace("Bearer ", "");
GoogleIdToken googleIdToken = verifier.verify(authorization);
if (Objects.isNull(googleIdToken)) {
log.warn("Not valid token provided");
throw AppException.createUnauthorized("Unauthorized. The JWT token could not be validated");
}
String email = googleIdToken.getPayload().getEmail();
String partitionAdminAccount = configuration.getPartitionAdminAccount();
if (Objects.nonNull(partitionAdminAccount) && !partitionAdminAccount.isEmpty()) {
if (email.equals(partitionAdminAccount)) {
return true;
} else {
throw AppException.createUnauthorized("Unauthorized. The user is not Service Principal");
}
} else {
if (StringUtils.endsWithIgnoreCase(email, "gserviceaccount.com")) {
return true;
} else {
throw AppException.createUnauthorized("Unauthorized. The user is not Service Principal");
}
}
} catch (Exception e) {
log.warn("Not valid or expired token provided");
throw AppException.createUnauthorized("Unauthorized. The JWT token could not be validated");
}
}
return true;
}
}
/*
Copyright 2002-2021 Google LLC
Copyright 2002-2021 EPAM Systems, Inc
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package org.opengroup.osdu.partition.provider.gcp.security;
import lombok.RequiredArgsConstructor;
import javax.inject.Inject;
import org.opengroup.osdu.core.common.entitlements.EntitlementsAPIConfig;
import org.opengroup.osdu.core.common.entitlements.EntitlementsFactory;
import org.opengroup.osdu.core.common.entitlements.IEntitlementsFactory;
import org.opengroup.osdu.core.common.http.json.HttpResponseBodyMapper;
import org.opengroup.osdu.partition.provider.gcp.config.PropertiesConfiguration;
import org.springframework.beans.factory.config.AbstractFactoryBean;
import org.springframework.stereotype.Component;
@Component
@RequiredArgsConstructor
public class EntitlementsClientFactory extends AbstractFactoryBean<IEntitlementsFactory> {
private final PropertiesConfiguration properties;
@Inject
private HttpResponseBodyMapper httpResponseBodyMapper;
@Override
protected IEntitlementsFactory createInstance() throws Exception {
return new EntitlementsFactory(EntitlementsAPIConfig
.builder()
.rootUrl(properties.getAuthorizeApi())
.build(),
httpResponseBodyMapper);
}
@Override
public Class<?> getObjectType() {
return IEntitlementsFactory.class;
}
}
......@@ -17,6 +17,8 @@ kms-key=searchService
KEY_RING=${key-ring}
KMS_KEY=${kms-key}
GOOGLE_CLOUD_PROJECT=${google-cloud-project}
google-audiences=123.apps.googleusercontent.com
partition-admin-account=admin@domen.iam.gserviceaccount.com
#logging configuration
logging.level.org.springframework.web=${LOG_LEVEL:DEBUG}
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment