From 50635928365dfc9bc7e73bfc610aa1fbeda341dc Mon Sep 17 00:00:00 2001
From: "Rustam Lotsmanenko (EPAM)" <rustam_lotsmanenko@epam.com>
Date: Tue, 8 Feb 2022 15:42:11 +0000
Subject: [PATCH] Added option to define the full email of trusted service acc
 (GONRG-4213)

---
 provider/partition-gcp/README.md                         | 1 +
 .../provider/gcp/security/GcpAuthorizationService.java   | 9 +++++----
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/provider/partition-gcp/README.md b/provider/partition-gcp/README.md
index ad2876091..95b635050 100644
--- a/provider/partition-gcp/README.md
+++ b/provider/partition-gcp/README.md
@@ -82,6 +82,7 @@ In order to run the service locally or remotely, you will need to have the follo
 | `osm.postgres.username` | ex `postgres` | Postgres admin username | no | - |
 | `osm.postgres.password` | ex `postgres` | Postgres admin password | yes | - |
 | `ENVIRONMENT` | `gcp` or `anthos` | If `anthos` then authorization is disabled | no | - |
+| `SERVICE_ACCOUNT_TAIL` | `****` |By default Partition service while authenticating the request, verifies that the email in provided token belongs to a service account from a specific project by email tail `<GOOGLE_CLOUD_PROJECT> + .iam.gserviceaccount.com`, this behavior can be changed with this variable, you may specify which email tail exactly expected.| no | - |
 
 ## Configuring mappers' Datasources
 
diff --git a/provider/partition-gcp/src/main/java/org/opengroup/osdu/partition/provider/gcp/security/GcpAuthorizationService.java b/provider/partition-gcp/src/main/java/org/opengroup/osdu/partition/provider/gcp/security/GcpAuthorizationService.java
index 0c2a1398c..39422914e 100644
--- a/provider/partition-gcp/src/main/java/org/opengroup/osdu/partition/provider/gcp/security/GcpAuthorizationService.java
+++ b/provider/partition-gcp/src/main/java/org/opengroup/osdu/partition/provider/gcp/security/GcpAuthorizationService.java
@@ -79,11 +79,12 @@ public class GcpAuthorizationService implements IAuthorizationService {
   }
 
   private boolean isAllowedAccount(String accountEmail) {
+    for (String partitionAdmin : configuration.getPartitionAdminAccounts()) {
+      if (partitionAdmin.equals(accountEmail)) {
+        return true;
+      }
+
     if (StringUtils.endsWith(accountEmail, configuration.getServiceAccountTail())) {
-      for (String partitionAdmin : configuration.getPartitionAdminAccounts()) {
-        if (partitionAdmin.equals(accountEmail)) {
-          return true;
-        }
         if (StringUtils.startsWith(accountEmail, partitionAdmin)) {
           return true;
         }
-- 
GitLab