Commit 383203d3 authored by Rustam Lotsmanenko (EPAM)'s avatar Rustam Lotsmanenko (EPAM)
Browse files

fix responses for unauthorized

parent eedcc42a
Pipeline #36072 failed with stage
in 3 minutes and 49 seconds
...@@ -26,6 +26,7 @@ import java.util.Objects; ...@@ -26,6 +26,7 @@ import java.util.Objects;
import lombok.RequiredArgsConstructor; import lombok.RequiredArgsConstructor;
import lombok.extern.slf4j.Slf4j; import lombok.extern.slf4j.Slf4j;
import org.apache.commons.lang3.StringUtils; import org.apache.commons.lang3.StringUtils;
import org.opengroup.osdu.core.common.model.http.AppException;
import org.opengroup.osdu.core.common.model.http.DpsHeaders; import org.opengroup.osdu.core.common.model.http.DpsHeaders;
import org.opengroup.osdu.partition.provider.gcp.config.PropertiesConfiguration; import org.opengroup.osdu.partition.provider.gcp.config.PropertiesConfiguration;
import org.opengroup.osdu.partition.provider.interfaces.IAuthorizationService; import org.opengroup.osdu.partition.provider.interfaces.IAuthorizationService;
...@@ -44,6 +45,9 @@ public class AuthorizationService implements IAuthorizationService { ...@@ -44,6 +45,9 @@ public class AuthorizationService implements IAuthorizationService {
@Override @Override
public boolean isDomainAdminServiceAccount() { public boolean isDomainAdminServiceAccount() {
if (Objects.isNull(headers.getAuthorization()) || headers.getAuthorization().isEmpty()) {
throw AppException.createUnauthorized("No JWT token. Access is Forbidden");
}
try { try {
GoogleIdTokenVerifier verifier = GoogleIdTokenVerifier verifier =
new GoogleIdTokenVerifier.Builder( new GoogleIdTokenVerifier.Builder(
...@@ -56,17 +60,26 @@ public class AuthorizationService implements IAuthorizationService { ...@@ -56,17 +60,26 @@ public class AuthorizationService implements IAuthorizationService {
GoogleIdToken googleIdToken = verifier.verify(authorization); GoogleIdToken googleIdToken = verifier.verify(authorization);
if (Objects.isNull(googleIdToken)) { if (Objects.isNull(googleIdToken)) {
log.warn("Not valid token provided"); log.warn("Not valid token provided");
return false; throw AppException.createUnauthorized("Unauthorized. The JWT token could not be validated");
} }
String email = googleIdToken.getPayload().getEmail(); String email = googleIdToken.getPayload().getEmail();
String partitionAdminAccount = configuration.getPartitionAdminAccount(); String partitionAdminAccount = configuration.getPartitionAdminAccount();
if (Objects.nonNull(partitionAdminAccount) && !partitionAdminAccount.isEmpty()) { if (Objects.nonNull(partitionAdminAccount) && !partitionAdminAccount.isEmpty()) {
return email.equals(partitionAdminAccount); if (email.equals(partitionAdminAccount)) {
return true;
} else {
throw AppException.createUnauthorized("Unauthorized. The user is not Service Principal");
}
} else {
if (StringUtils.endsWithIgnoreCase(email, "gserviceaccount.com")) {
return true;
} else {
throw AppException.createUnauthorized("Unauthorized. The user is not Service Principal");
}
} }
return StringUtils.endsWithIgnoreCase(email, "gserviceaccount.com");
} catch (Exception e) { } catch (Exception e) {
log.warn("Not valid or expired token provided"); log.warn("Not valid or expired token provided");
return false; throw AppException.createUnauthorized("Unauthorized. The JWT token could not be validated");
} }
} }
} }
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment