Commit 65720d6b authored by Bhushan Rade's avatar Bhushan Rade Committed by Anuj Gupta
Browse files

partitionid validation test case updated. no access token response code

check changed 401 to 403
parent 2c9cdcda
......@@ -348,6 +348,7 @@ The following software have components provided under the terms of this license:
- Java Native Access (from https://github.com/java-native-access/jna)
- Java Native Access Platform (from https://github.com/java-native-access/jna)
- Javassist (from http://www.javassist.org/)
- Javassist (from http://www.javassist.org/)
- Jetty Server (from )
- Jetty Utilities (from )
- Joda-Time (from http://www.joda.org/joda-time/)
......@@ -358,6 +359,15 @@ The following software have components provided under the terms of this license:
- KeePassJava2 :: KDB (from https://repo1.maven.org/maven2/org/linguafranca/pwdb/KeePassJava2-kdb)
- KeePassJava2 :: KDBX (from https://repo1.maven.org/maven2/org/linguafranca/pwdb/KeePassJava2-kdbx)
- KeePassJava2 :: Simple (from https://repo1.maven.org/maven2/org/linguafranca/pwdb/KeePassJava2-simple)
- KeyCloak Authz: Client API (from )
- Keycloak :: Spring :: Boot :: Default :: Starter (from )
- Keycloak Adapter Core (from )
- Keycloak Adapter SPI (from )
- Keycloak Common (from )
- Keycloak Core (from )
- Keycloak Spring Boot 2 Integration (from )
- Keycloak Spring Boot Adapter Core (from )
- Keycloak Spring Security Integration (from )
- Logback Contrib :: JSON :: Classic (from )
- Logback Contrib :: JSON :: Core (from )
- Logback Contrib :: Jackson (from )
......@@ -561,6 +571,7 @@ The following software have components provided under the terms of this license:
- rest-high-level (from https://github.com/elastic/elasticsearch)
- rxjava (from https://github.com/ReactiveX/RxJava)
- secure-sm (from https://github.com/elastic/elasticsearch)
- spring-boot-container-bundle (from )
- spring-security-config (from http://spring.io/spring-security)
- spring-security-core (from http://spring.io/spring-security)
- spring-security-oauth2-client (from http://spring.io/spring-security)
......@@ -597,6 +608,7 @@ The following software have components provided under the terms of this license:
- GAX (Google Api eXtensions) (from https://github.com/googleapis)
- Hamcrest (from http://hamcrest.org/JavaHamcrest/)
- Hamcrest Core (from http://hamcrest.org/)
- HdrHistogram (from http://hdrhistogram.github.io/HdrHistogram/)
- Lucene Common Analyzers (from )
- Plexus :: Default Container (from )
- Plexus Common Utilities (from http://plexus.codehaus.org/plexus-utils)
......@@ -625,8 +637,10 @@ The following software have components provided under the terms of this license:
- Google Auth Library for Java - OAuth2 HTTP (from )
- Hamcrest (from http://hamcrest.org/JavaHamcrest/)
- Hamcrest Core (from http://hamcrest.org/)
- HdrHistogram (from http://hdrhistogram.github.io/HdrHistogram/)
- JDOM (from http://www.jdom.org)
- JSch (from http://www.jcraft.com/jsch/)
- JavaBeans Activation Framework (from )
- JavaBeans Activation Framework API jar (from )
- Lucene Common Analyzers (from )
- Lucene Core (from )
......@@ -795,6 +809,7 @@ The following software have components provided under the terms of this license:
- Java Native Access (from https://github.com/java-native-access/jna)
- Java Native Access Platform (from https://github.com/java-native-access/jna)
- Javassist (from http://www.javassist.org/)
- Javassist (from http://www.javassist.org/)
- Logback Classic Module (from )
- Logback Contrib :: JSON :: Classic (from )
- Logback Contrib :: JSON :: Core (from )
......@@ -811,6 +826,7 @@ LGPL-2.1-or-later
========================================================================
The following software have components provided under the terms of this license:
- Javassist (from http://www.javassist.org/)
- SnakeYAML (from http://www.snakeyaml.org)
========================================================================
......@@ -835,6 +851,7 @@ The following software have components provided under the terms of this license:
- Azure Java Client Runtime for AutoRest (from https://github.com/Azure/autorest-clientruntime-for-java)
- Azure Metrics Spring Boot Starter (from https://github.com/Microsoft/azure-spring-boot)
- Azure Spring Boot AutoConfigure (from https://github.com/Microsoft/azure-spring-boot)
- Bouncy Castle Provider (from http://www.bouncycastle.org/java.html)
- Checker Qual (from https://checkerframework.org)
- Extensions on Apache Proton-J library (from https://github.com/Azure/qpid-proton-j-extensions)
- JOpt Simple (from http://pholser.github.io/jopt-simple)
......@@ -886,12 +903,14 @@ The following software have components provided under the terms of this license:
- Cobertura code coverage (from http://cobertura.sourceforge.net)
- Javassist (from http://www.javassist.org/)
- Javassist (from http://www.javassist.org/)
========================================================================
MPL-2.0
========================================================================
The following software have components provided under the terms of this license:
- Javassist (from http://www.javassist.org/)
- Javassist (from http://www.javassist.org/)
- OkHttp (from )
......@@ -900,6 +919,7 @@ PHP-3.01
========================================================================
The following software have components provided under the terms of this license:
- JavaBeans Activation Framework (from )
- JavaBeans Activation Framework API jar (from )
- jakarta.xml.bind-api (from )
......@@ -952,9 +972,13 @@ The following software have components provided under the terms of this license:
- AWS Java SDK :: SDK Core (from https://aws.amazon.com/sdkforjava)
- AWS SDK for Java - Models (from https://aws.amazon.com/sdkforjava)
- Asynchronous Http Client (from )
- Bouncy Castle PKIX, CMS, EAC, TSP, PKCS, OCSP, CMP, and CRMF APIs (from http://www.bouncycastle.org/java.html)
- Bouncy Castle Provider (from http://www.bouncycastle.org/java.html)
- Guava: Google Core Libraries for Java (from https://github.com/google/guava.git)
- HdrHistogram (from http://hdrhistogram.github.io/HdrHistogram/)
- HdrHistogram (from http://hdrhistogram.github.io/HdrHistogram/)
- Joda-Time (from http://www.joda.org/joda-time/)
- Keycloak Common (from )
- LatencyUtils (from http://latencyutils.github.io/LatencyUtils/)
- Microsoft Application Insights Java SDK Core (from https://github.com/Microsoft/ApplicationInsights-Java)
- Microsoft Azure SDK for SQL API of Azure Cosmos DB Service (from https://github.com/Azure/azure-sdk-for-java)
......@@ -972,10 +996,13 @@ unknown
========================================================================
The following software have components provided under the terms of this license:
- Bouncy Castle PKIX, CMS, EAC, TSP, PKCS, OCSP, CMP, and CRMF APIs (from http://www.bouncycastle.org/java.html)
- Bouncy Castle Provider (from http://www.bouncycastle.org/java.html)
- Byte Buddy (without dependencies) (from )
- JUnit (from http://junit.org)
- JUnit (from http://junit.org)
- JUnit Jupiter (Aggregator) (from https://junit.org/junit5/)
- JavaBeans Activation Framework (from )
- JavaBeans Activation Framework API jar (from )
- JavaMail API (from )
- Servlet Specification 2.5 API (from )
......
......@@ -20,20 +20,15 @@
<packaging>jar</packaging>
<properties>
<aws.version>1.11.637</aws.version>
<version.keycloak>9.0.2</version.keycloak>
</properties>
<dependencies>
<!-- Internal packages -->
<dependency>
<groupId>org.opengroup.osdu</groupId>
<artifactId>os-core-common</artifactId>
<version>0.3.28</version>
</dependency>
<dependency>
<groupId>org.opengroup.osdu</groupId>
<artifactId>os-core-lib-ibm</artifactId>
<version>0.7.0</version>
<version>0.8.2</version>
</dependency>
<dependency>
<groupId>org.opengroup.osdu</groupId>
......@@ -43,10 +38,10 @@
<!-- Third party Apache 2.0 license packages -->
<dependency>
<!-- <dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
</dependency> -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-actuator</artifactId>
......@@ -119,6 +114,31 @@
<artifactId>spring-security-test</artifactId>
<scope>test</scope>
</dependency>
<!-- Keycloak -->
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-spring-boot-starter</artifactId>
<version>${version.keycloak}</version>
</dependency>
<!-- <dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-spring-boot-starter-security</artifactId>
<version>${version.keycloak}</version>
</dependency> -->
<!-- <dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-authz-client</artifactId>
<version>${version.keycloak}</version>
</dependency>
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-admin-client</artifactId>
<version>${version.keycloak}</version>
</dependency> -->
</dependencies>
<build>
......
......@@ -3,47 +3,52 @@
package org.opengroup.osdu.partition.provider.ibm.security;
import org.opengroup.osdu.core.common.entitlements.IEntitlementsAndCacheService;
import org.keycloak.KeycloakPrincipal;
import org.keycloak.KeycloakSecurityContext;
import org.opengroup.osdu.core.common.model.http.AppException;
import org.opengroup.osdu.core.common.model.http.DpsHeaders;
import org.opengroup.osdu.partition.provider.interfaces.IAuthorizationService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.http.HttpStatus;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Component;
import org.springframework.web.context.annotation.RequestScope;
import lombok.extern.slf4j.Slf4j;
@Component
@RequestScope
@Slf4j
public class AuthorizationService implements IAuthorizationService {
public static final String PARTITION_ADMIN_ROLE = "service.partition.admin";
@Autowired
private IEntitlementsAndCacheService entitlementsAndCacheService;
@Autowired
private DpsHeaders headers;
@Override
public boolean isDomainAdminServiceAccount() {
try {
return hasRole(PARTITION_ADMIN_ROLE);
}
catch (AppException e) {
throw e;
}
catch (Exception e) {
throw new AppException(HttpStatus.INTERNAL_SERVER_ERROR.value(), "Authentication Failure", e.getMessage(), e);
}
}
private boolean hasRole(String requiredRole) {
//headers.put(DpsHeaders.DATA_PARTITION_ID, PARTITION_NAME);
String user = entitlementsAndCacheService.authorize(headers, requiredRole);
headers.put(DpsHeaders.USER_EMAIL, user);
return true;
}
@Value("${service.partition.admin.user}")
String partitionAdminUser;
@Override
public boolean isDomainAdminServiceAccount() {
try {
final Authentication auth = SecurityContextHolder.getContext().getAuthentication();
@SuppressWarnings("unchecked")
KeycloakPrincipal<KeycloakSecurityContext> principal = (KeycloakPrincipal<KeycloakSecurityContext>) auth.getPrincipal();
String upn = principal.getName();
log.info("email : "+upn);
if(upn.equals(partitionAdminUser)) {
return true;
}
else {
throw AppException.createUnauthorized("Unauthorized. The user is not Service Principal");
}
}
catch (AppException e) {
throw e;
}
catch (Exception e) {
throw new AppException(HttpStatus.INTERNAL_SERVER_ERROR.value(), "Authentication Failure", e.getMessage(), e);
}
}
}
/* Licensed Materials - Property of IBM */
/* (c) Copyright IBM Corp. 2020. All Rights Reserved.*/
package org.opengroup.osdu.partition.provider.ibm.security;
import org.apache.http.HttpStatus;
import org.opengroup.osdu.core.common.model.entitlements.Acl;
import org.opengroup.osdu.core.common.model.http.DpsHeaders;
import org.opengroup.osdu.core.common.cache.ICache;
import org.opengroup.osdu.core.common.model.storage.RecordMetadata;
import org.opengroup.osdu.core.common.util.Crc32c;
import org.opengroup.osdu.core.common.model.entitlements.EntitlementsException;
import org.opengroup.osdu.core.common.model.entitlements.Groups;
import org.opengroup.osdu.core.common.model.http.AppException;
import org.opengroup.osdu.core.common.http.HttpResponse;
import org.opengroup.osdu.core.common.entitlements.IEntitlementsFactory;
import org.opengroup.osdu.core.common.entitlements.IEntitlementsService;
import org.opengroup.osdu.core.common.logging.JaxRsDpsLog;
import org.opengroup.osdu.core.common.entitlements.IEntitlementsAndCacheService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
@Service
public class EntitlementsAndCacheServiceImpl implements IEntitlementsAndCacheService {
private static final String ERROR_REASON = "Access denied";
private static final String ERROR_MSG = "The user is not authorized to perform this action";
@Autowired
private IEntitlementsFactory factory;
@Autowired
private ICache<String, Groups> cache;
@Autowired
private JaxRsDpsLog logger;
@Override
public String authorize(DpsHeaders headers, String... roles) {
Groups groups = this.getGroups(headers);
if (groups.any(roles)) {
return groups.getDesId();
} else {
throw new AppException(HttpStatus.SC_UNAUTHORIZED, ERROR_REASON, ERROR_MSG);
}
}
@Override
public boolean isValidAcl(DpsHeaders headers, Set<String> acls) {
Groups groups = this.getGroups(headers);
if (groups.getGroups() == null || groups.getGroups().isEmpty()) {
this.logger.error("Error on getting groups for user: " + headers.getUserEmail());
throw new AppException(HttpStatus.SC_INTERNAL_SERVER_ERROR, "Unknown error",
"Unknown error happened when validating ACL");
}
String email = groups.getGroups().get(0).getEmail();
if (!email.matches("^[a-zA-Z0-9_+&*-]+(?:\\.[a-zA-Z0-9_+&*-]+)*@(?:[a-zA-Z0-9-]+\\.)+[a-zA-Z]{2,7}$")) {
this.logger.error("Email address is invalid for this group: " + groups.getGroups().get(0));
throw new AppException(HttpStatus.SC_INTERNAL_SERVER_ERROR, "Unknown error",
"Unknown error happened when validating ACL");
}
String domain = email.split("@")[1];
for (String acl : acls) {
if (!acl.split("@")[1].equalsIgnoreCase(domain)) {
return false;
}
}
return true;
}
@Override
public boolean hasOwnerAccess(DpsHeaders headers, String[] ownerList) {
Groups groups = this.getGroups(headers);
Set<String> aclList = new HashSet<>();
for (String owner : ownerList) {
aclList.add(owner.split("@")[0]);
}
String[] acls = new String[aclList.size()];
return groups.any(aclList.toArray(acls));
}
@Override
public List<RecordMetadata> hasValidAccess(List<RecordMetadata> recordsMetadata, DpsHeaders headers) {
Groups groups = this.getGroups(headers);
List<RecordMetadata> result = new ArrayList<>();
for (RecordMetadata recordMetadata : recordsMetadata) {
Acl storageAcl = recordMetadata.getAcl();
if (hasAccess(storageAcl, groups)) {
result.add(recordMetadata);
} else {
this.logger.warning("Post ACL check fails: " + recordMetadata.getId());
}
}
return result;
}
private boolean hasAccess(Acl storageAcl, Groups groups) {
String[] viewers = storageAcl.getViewers();
String[] owners = storageAcl.getOwners();
Set<String> aclList = new HashSet<>();
for (String viewer : viewers) {
aclList.add(viewer.split("@")[0]);
}
for (String owner : owners) {
aclList.add(owner.split("@")[0]);
}
String[] acls = new String[aclList.size()];
if (groups.any(aclList.toArray(acls))) {
return true;
} else {
return false;
}
}
protected Groups getGroups(DpsHeaders headers) {
String cacheKey = this.getGroupCacheKey(headers);
Groups groups = this.cache.get(cacheKey);
if (groups == null) {
IEntitlementsService service = this.factory.create(headers);
try {
groups = service.getGroups();
this.cache.put(cacheKey, groups);
this.logger.info("Entitlements cache miss");
} catch (EntitlementsException e) {
e.printStackTrace();
HttpResponse response = e.getHttpResponse();
this.logger.error(String.format("Error requesting entitlements service %s", response));
throw new AppException(e.getHttpResponse().getResponseCode(), ERROR_REASON, ERROR_MSG, e);
}
}
return groups;
}
protected static String getGroupCacheKey(DpsHeaders headers) {
String key = String.format("entitlement-groups:%s:%s", headers.getPartitionIdWithFallbackToAccountId(),
headers.getAuthorization());
return Crc32c.hashToBase64EncodedString(key);
}
}
/* Licensed Materials - Property of IBM */
/* (c) Copyright IBM Corp. 2020. All Rights Reserved.*/
package org.opengroup.osdu.partition.provider.ibm.security;
import javax.inject.Inject;
import org.opengroup.osdu.core.common.entitlements.EntitlementsAPIConfig;
import org.opengroup.osdu.core.common.entitlements.EntitlementsFactory;
import org.opengroup.osdu.core.common.entitlements.IEntitlementsFactory;
import org.opengroup.osdu.core.common.http.json.HttpResponseBodyMapper;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.beans.factory.config.AbstractFactoryBean;
import org.springframework.stereotype.Component;
@Component
public class EntitlementsClientFactory extends AbstractFactoryBean<IEntitlementsFactory> {
@Value("${AUTHORIZE_API}")
private String AUTHORIZE_API;
@Value("${AUTHORIZE_API_KEY:}")
private String AUTHORIZE_API_KEY;
@Inject
private HttpResponseBodyMapper httpResponseBodyMapper;
@Override
protected IEntitlementsFactory createInstance() throws Exception {
return new EntitlementsFactory(EntitlementsAPIConfig
.builder()
.rootUrl(AUTHORIZE_API)
.apiKey(AUTHORIZE_API_KEY)
.build(),
httpResponseBodyMapper);
}
@Override
public Class<?> getObjectType() {
return IEntitlementsFactory.class;
}
}
\ No newline at end of file
/* Licensed Materials - Property of IBM */
/* (c) Copyright IBM Corp. 2020. All Rights Reserved.*/
package org.opengroup.osdu.partition.provider.ibm.security;
import org.keycloak.adapters.KeycloakConfigResolver;
import org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver;
import org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider;
import org.keycloak.adapters.springsecurity.config.KeycloakWebSecurityConfigurerAdapter;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.core.authority.mapping.SimpleAuthorityMapper;
import org.springframework.security.core.session.SessionRegistryImpl;
import org.springframework.security.web.authentication.session.NullAuthenticatedSessionStrategy;
import org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy;
import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, jsr250Enabled = true)
public class KeycloakSecurityConfig extends KeycloakWebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
super.configure(http);
http.authorizeRequests()
.anyRequest().authenticated().and().oauth2ResourceServer().jwt();
/* .anyRequest()
.permitAll();*/
http.csrf().disable();
http.headers().frameOptions().disable();
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
KeycloakAuthenticationProvider keycloakAuthenticationProvider = keycloakAuthenticationProvider();
keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(new SimpleAuthorityMapper());
auth.authenticationProvider(keycloakAuthenticationProvider);
}
@Bean
@Override
protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
return new NullAuthenticatedSessionStrategy();
}
@Bean
public KeycloakConfigResolver KeycloakConfigResolver() {
return new KeycloakSpringBootConfigResolver();
}
}
\ No newline at end of file
/* Licensed Materials - Property of IBM */
/* (c) Copyright IBM Corp. 2020. All Rights Reserved.*/
package org.opengroup.osdu.partition.provider.ibm.security;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@EnableWebSecurity
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfigIBM extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable().authorizeRequests()
.antMatchers("_ah/liveness_check",
"/_ah/readiness_check",
"/swagger-resources/**",
"/configuration/security",
"/webjars/**")
.permitAll().anyRequest().authenticated().and().oauth2ResourceServer().jwt();
}
}
\ No newline at end of file
......@@ -26,3 +26,33 @@ ibm.db.password=TODO
spring.security.oauth2.resourceserver.jwt.jwk-set-uri=TODO
##Keycloak for partition service
keycloak.realm=TODO
keycloak.auth-server-url=TODO
keycloak.resource=TODO
keycloak.credentials.secret=TODO
keycloak.ssl-required=TODO
keycloak.bearer-only=true
keycloak.use-resource-role-mappings=false
partition.role=partition-admin-role