From 364a62104afa07d619db43d79089eb767c6916e4 Mon Sep 17 00:00:00 2001
From: Vibhuti Sharma <vibsharm@microsoft.com>
Date: Tue, 24 Aug 2021 14:48:01 +0530
Subject: [PATCH] added check for issuer

---
 .../azure/utils/AuthorizationService.java         | 15 ++++++++++++++-
 .../azure/utils/AuthorizationServiceTest.java     | 14 +++++++++++++-
 .../partition/provider/azure/utils/TestUtils.java |  4 ++++
 3 files changed, 31 insertions(+), 2 deletions(-)

diff --git a/provider/partition-azure/src/main/java/org/opengroup/osdu/partition/provider/azure/utils/AuthorizationService.java b/provider/partition-azure/src/main/java/org/opengroup/osdu/partition/provider/azure/utils/AuthorizationService.java
index 8bddf4aba..ed0f6df00 100644
--- a/provider/partition-azure/src/main/java/org/opengroup/osdu/partition/provider/azure/utils/AuthorizationService.java
+++ b/provider/partition-azure/src/main/java/org/opengroup/osdu/partition/provider/azure/utils/AuthorizationService.java
@@ -25,6 +25,9 @@ import java.util.Map;
 @Component
 public class AuthorizationService implements IAuthorizationService {
 
+    private final String AAD_issuer_v1 = "https://sts.windows.net";
+    private final String AAD_issuer_v2 = "https://login.microsoftonline.com";
+
     enum UserType {
         REGULAR_USER,
         GUEST_USER,
@@ -40,14 +43,24 @@ public class AuthorizationService implements IAuthorizationService {
         }
 
         final UserPrincipal userPrincipal = (UserPrincipal) principal;
+        String issuer = userPrincipal.getClaim("iss").toString();
 
         UserType type = getType(userPrincipal);
-        if (type == UserType.SERVICE_PRINCIPAL) {
+        if (type == UserType.SERVICE_PRINCIPAL && issuedByAAD(issuer)) {
             return true;
         }
         return false;
     }
 
+    /***
+     * Check that issuer string startswith accepted prefix of AAD issuer url (V1 or V2).
+     * @param issuer claim for "issuer"
+     * @return true if issuer startswith V1 url or V2 url
+     */
+    private boolean issuedByAAD(String issuer) {
+        return issuer.startsWith(AAD_issuer_v1) || issuer.startsWith(AAD_issuer_v2);
+    }
+
     /**
      * The internal method to get the user principal.
      *
diff --git a/provider/partition-azure/src/test/java/org/opengroup/osdu/partition/provider/azure/utils/AuthorizationServiceTest.java b/provider/partition-azure/src/test/java/org/opengroup/osdu/partition/provider/azure/utils/AuthorizationServiceTest.java
index f76d96dcc..0d732a671 100644
--- a/provider/partition-azure/src/test/java/org/opengroup/osdu/partition/provider/azure/utils/AuthorizationServiceTest.java
+++ b/provider/partition-azure/src/test/java/org/opengroup/osdu/partition/provider/azure/utils/AuthorizationServiceTest.java
@@ -103,11 +103,23 @@ public class AuthorizationServiceTest {
     }
 
     @Test
-    public void shouldReturnTrueWhenAADTokenIsSetInContext() {
+    public void shouldReturnTrueWhenAADTokenIsSetInContext_AndIssuerIsAAD() {
         createAADUserPrincipalSetSecurityContext(TestUtils.APPID, TestUtils.getAppId(), TestUtils.getAadIssuer());
         assertTrue(authorizationService.isDomainAdminServiceAccount());
     }
 
+    @Test
+    public void shouldReturnTrueWhenAADTokenIsSetInContext_AndIssuerIsAADV2() {
+        createAADUserPrincipalSetSecurityContext(TestUtils.APPID, TestUtils.getAppId(), TestUtils.getAadIssuerV2());
+        assertTrue(authorizationService.isDomainAdminServiceAccount());
+    }
+
+    @Test
+    public void shouldReturnFalseWhenAADTokenIsSetInContext_AndIssuerIsNotAAD() {
+        createAADUserPrincipalSetSecurityContext(TestUtils.APPID, TestUtils.getAppId(), TestUtils.getNonAadIssuer());
+        assertFalse(authorizationService.isDomainAdminServiceAccount());
+    }
+
     @Getter
     public class DummyAuthToken {
 
diff --git a/provider/partition-azure/src/test/java/org/opengroup/osdu/partition/provider/azure/utils/TestUtils.java b/provider/partition-azure/src/test/java/org/opengroup/osdu/partition/provider/azure/utils/TestUtils.java
index 392665322..cfa415a48 100644
--- a/provider/partition-azure/src/test/java/org/opengroup/osdu/partition/provider/azure/utils/TestUtils.java
+++ b/provider/partition-azure/src/test/java/org/opengroup/osdu/partition/provider/azure/utils/TestUtils.java
@@ -18,7 +18,11 @@ public class TestUtils {
     private static final String appId = "1234";
     public static final String APPID = "appid";
     public static final String aadIssuer = "https://sts.windows.net";
+    public static final String aadIssuerV2 = "https://login.microsoftonline.com";
+    public static final String nonAadIssuer = "https://login.abc.com";
 
     public static String getAppId() {return appId;}
     public static String getAadIssuer() {return aadIssuer;}
+    public static String getAadIssuerV2() {return aadIssuerV2;}
+    public static String getNonAadIssuer() {return nonAadIssuer;}
 }
-- 
GitLab