fix responses for unauthorized

383203d3 · Rustam Lotsmanenko (EPAM) · eedcc42a · 383203d3
Commit 383203d3 authored 3 years ago by Rustam Lotsmanenko (EPAM)
--- a/provider/partition-gcp/src/main/java/org/opengroup/osdu/partition/provider/gcp/security/AuthorizationService.java
+++ b/provider/partition-gcp/src/main/java/org/opengroup/osdu/partition/provider/gcp/security/AuthorizationService.java
@@ -26,6 +26,7 @@ import java.util.Objects;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.StringUtils;
+import org.opengroup.osdu.core.common.model.http.AppException;
 import org.opengroup.osdu.core.common.model.http.DpsHeaders;
 import org.opengroup.osdu.partition.provider.gcp.config.PropertiesConfiguration;
 import org.opengroup.osdu.partition.provider.interfaces.IAuthorizationService;
@@ -44,6 +45,9 @@ public class AuthorizationService implements IAuthorizationService {

    @Override
    public boolean isDomainAdminServiceAccount() {
+        if (Objects.isNull(headers.getAuthorization()) || headers.getAuthorization().isEmpty()) {
+            throw AppException.createUnauthorized("No JWT token. Access is Forbidden");
+        }
        try {
            GoogleIdTokenVerifier verifier =
                new GoogleIdTokenVerifier.Builder(
@@ -56,17 +60,26 @@ public class AuthorizationService implements IAuthorizationService {
            GoogleIdToken googleIdToken = verifier.verify(authorization);
            if (Objects.isNull(googleIdToken)) {
                log.warn("Not valid token provided");
-                return false;
+                throw AppException.createUnauthorized("Unauthorized. The JWT token could not be validated");
            }
            String email = googleIdToken.getPayload().getEmail();
            String partitionAdminAccount = configuration.getPartitionAdminAccount();
            if (Objects.nonNull(partitionAdminAccount) && !partitionAdminAccount.isEmpty()) {
-                return email.equals(partitionAdminAccount);
+                if (email.equals(partitionAdminAccount)) {
+                    return true;
+                } else {
+                    throw AppException.createUnauthorized("Unauthorized. The user is not Service Principal");
+                }
+            } else {
+                if (StringUtils.endsWithIgnoreCase(email, "gserviceaccount.com")) {
+                    return true;
+                } else {
+                    throw AppException.createUnauthorized("Unauthorized. The user is not Service Principal");
+                }
            }
-            return StringUtils.endsWithIgnoreCase(email, "gserviceaccount.com");
        } catch (Exception e) {
            log.warn("Not valid or expired token provided");
-            return false;
+            throw AppException.createUnauthorized("Unauthorized. The JWT token could not be validated");
        }
    }
 }