partitionid validation test case updated. no access token response code

check changed 401 to 403

partitionid validation test case updated. no access token response code
65720d6b · Bhushan Rade · Anuj Gupta · 2c9cdcda · 65720d6b · 65720d6b
Commit 65720d6b authored 3 years ago by Bhushan Rade Committed by Anuj Gupta 3 years ago
--- a/NOTICE
+++ b/NOTICE
@@ -348,6 +348,7 @@ The following software have components provided under the terms of this license:
 - Java Native Access (from https://github.com/java-native-access/jna)
 - Java Native Access Platform (from https://github.com/java-native-access/jna)
 - Javassist (from http://www.javassist.org/)
+- Javassist (from http://www.javassist.org/)
 - Jetty Server (from )
 - Jetty Utilities (from )
 - Joda-Time (from http://www.joda.org/joda-time/)
@@ -358,6 +359,15 @@ The following software have components provided under the terms of this license:
 - KeePassJava2 :: KDB (from https://repo1.maven.org/maven2/org/linguafranca/pwdb/KeePassJava2-kdb)
 - KeePassJava2 :: KDBX (from https://repo1.maven.org/maven2/org/linguafranca/pwdb/KeePassJava2-kdbx)
 - KeePassJava2 :: Simple (from https://repo1.maven.org/maven2/org/linguafranca/pwdb/KeePassJava2-simple)
+- KeyCloak Authz: Client API (from )
+- Keycloak :: Spring :: Boot :: Default ::  Starter (from )
+- Keycloak Adapter Core (from )
+- Keycloak Adapter SPI (from )
+- Keycloak Common (from )
+- Keycloak Core (from )
+- Keycloak Spring Boot 2 Integration (from )
+- Keycloak Spring Boot Adapter Core (from )
+- Keycloak Spring Security Integration (from )
 - Logback Contrib :: JSON :: Classic (from )
 - Logback Contrib :: JSON :: Core (from )
 - Logback Contrib :: Jackson (from )
@@ -561,6 +571,7 @@ The following software have components provided under the terms of this license:
 - rest-high-level (from https://github.com/elastic/elasticsearch)
 - rxjava (from https://github.com/ReactiveX/RxJava)
 - secure-sm (from https://github.com/elastic/elasticsearch)
+- spring-boot-container-bundle (from )
 - spring-security-config (from http://spring.io/spring-security)
 - spring-security-core (from http://spring.io/spring-security)
 - spring-security-oauth2-client (from http://spring.io/spring-security)
@@ -597,6 +608,7 @@ The following software have components provided under the terms of this license:
 - GAX (Google Api eXtensions) (from https://github.com/googleapis)
 - Hamcrest (from http://hamcrest.org/JavaHamcrest/)
 - Hamcrest Core (from http://hamcrest.org/)
+- HdrHistogram (from http://hdrhistogram.github.io/HdrHistogram/)
 - Lucene Common Analyzers (from )
 - Plexus :: Default Container (from )
 - Plexus Common Utilities (from http://plexus.codehaus.org/plexus-utils)
@@ -625,8 +637,10 @@ The following software have components provided under the terms of this license:
 - Google Auth Library for Java - OAuth2 HTTP (from )
 - Hamcrest (from http://hamcrest.org/JavaHamcrest/)
 - Hamcrest Core (from http://hamcrest.org/)
+- HdrHistogram (from http://hdrhistogram.github.io/HdrHistogram/)
 - JDOM (from http://www.jdom.org)
 - JSch (from http://www.jcraft.com/jsch/)
+- JavaBeans Activation Framework (from )
 - JavaBeans Activation Framework API jar (from )
 - Lucene Common Analyzers (from )
 - Lucene Core (from )
@@ -795,6 +809,7 @@ The following software have components provided under the terms of this license:
 - Java Native Access (from https://github.com/java-native-access/jna)
 - Java Native Access Platform (from https://github.com/java-native-access/jna)
 - Javassist (from http://www.javassist.org/)
+- Javassist (from http://www.javassist.org/)
 - Logback Classic Module (from )
 - Logback Contrib :: JSON :: Classic (from )
 - Logback Contrib :: JSON :: Core (from )
@@ -811,6 +826,7 @@ LGPL-2.1-or-later
 ========================================================================
 The following software have components provided under the terms of this license:

+- Javassist (from http://www.javassist.org/)
 - SnakeYAML (from http://www.snakeyaml.org)

 ========================================================================
@@ -835,6 +851,7 @@ The following software have components provided under the terms of this license:
 - Azure Java Client Runtime for AutoRest (from https://github.com/Azure/autorest-clientruntime-for-java)
 - Azure Metrics Spring Boot Starter (from https://github.com/Microsoft/azure-spring-boot)
 - Azure Spring Boot AutoConfigure (from https://github.com/Microsoft/azure-spring-boot)
+- Bouncy Castle Provider (from http://www.bouncycastle.org/java.html)
 - Checker Qual (from https://checkerframework.org)
 - Extensions on Apache Proton-J library (from https://github.com/Azure/qpid-proton-j-extensions)
 - JOpt Simple (from http://pholser.github.io/jopt-simple)
@@ -886,12 +903,14 @@ The following software have components provided under the terms of this license:

 - Cobertura code coverage (from http://cobertura.sourceforge.net)
 - Javassist (from http://www.javassist.org/)
+- Javassist (from http://www.javassist.org/)

 ========================================================================
 MPL-2.0
 ========================================================================
 The following software have components provided under the terms of this license:

+- Javassist (from http://www.javassist.org/)
 - Javassist (from http://www.javassist.org/)
 - OkHttp (from )

@@ -900,6 +919,7 @@ PHP-3.01
 ========================================================================
 The following software have components provided under the terms of this license:

+- JavaBeans Activation Framework (from )
 - JavaBeans Activation Framework API jar (from )
 - jakarta.xml.bind-api (from )

@@ -952,9 +972,13 @@ The following software have components provided under the terms of this license:
 - AWS Java SDK :: SDK Core (from https://aws.amazon.com/sdkforjava)
 - AWS SDK for Java - Models (from https://aws.amazon.com/sdkforjava)
 - Asynchronous Http Client (from )
+- Bouncy Castle PKIX, CMS, EAC, TSP, PKCS, OCSP, CMP, and CRMF APIs (from http://www.bouncycastle.org/java.html)
+- Bouncy Castle Provider (from http://www.bouncycastle.org/java.html)
 - Guava: Google Core Libraries for Java (from https://github.com/google/guava.git)
 - HdrHistogram (from http://hdrhistogram.github.io/HdrHistogram/)
+- HdrHistogram (from http://hdrhistogram.github.io/HdrHistogram/)
 - Joda-Time (from http://www.joda.org/joda-time/)
+- Keycloak Common (from )
 - LatencyUtils (from http://latencyutils.github.io/LatencyUtils/)
 - Microsoft Application Insights Java SDK Core (from https://github.com/Microsoft/ApplicationInsights-Java)
 - Microsoft Azure SDK for SQL API of Azure Cosmos DB Service (from https://github.com/Azure/azure-sdk-for-java)
@@ -972,10 +996,13 @@ unknown
 ========================================================================
 The following software have components provided under the terms of this license:

+- Bouncy Castle PKIX, CMS, EAC, TSP, PKCS, OCSP, CMP, and CRMF APIs (from http://www.bouncycastle.org/java.html)
+- Bouncy Castle Provider (from http://www.bouncycastle.org/java.html)
 - Byte Buddy (without dependencies) (from )
 - JUnit (from http://junit.org)
 - JUnit (from http://junit.org)
 - JUnit Jupiter (Aggregator) (from https://junit.org/junit5/)
+- JavaBeans Activation Framework (from )
 - JavaBeans Activation Framework API jar (from )
 - JavaMail API (from )
 - Servlet Specification 2.5 API (from )

--- a/provider/partition-ibm/pom.xml
+++ b/provider/partition-ibm/pom.xml
@@ -20,20 +20,15 @@
    <packaging>jar</packaging>

    <properties>
-        <aws.version>1.11.637</aws.version>
+        <version.keycloak>9.0.2</version.keycloak>
    </properties>

    <dependencies>
        <!-- Internal packages -->
-        <dependency>
-            <groupId>org.opengroup.osdu</groupId>
-            <artifactId>os-core-common</artifactId>
-            <version>0.3.28</version>
-        </dependency>
        <dependency>
            <groupId>org.opengroup.osdu</groupId>
            <artifactId>os-core-lib-ibm</artifactId>
-            <version>0.7.0</version>
+            <version>0.8.2</version>
        </dependency>
        <dependency>
            <groupId>org.opengroup.osdu</groupId>
@@ -43,10 +38,10 @@


        <!-- Third party Apache 2.0 license packages -->
-        <dependency>
+      <!--   <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
-        </dependency>
+        </dependency> -->
        <dependency>
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-actuator</artifactId>
@@ -119,6 +114,31 @@
            <artifactId>spring-security-test</artifactId>
            <scope>test</scope>
        </dependency>
+        
+        
+         <!-- Keycloak  -->
+        <dependency>
+            <groupId>org.keycloak</groupId>
+            <artifactId>keycloak-spring-boot-starter</artifactId>
+            <version>${version.keycloak}</version>
+        </dependency>
+        <!-- <dependency>
+            <groupId>org.keycloak</groupId>
+            <artifactId>keycloak-spring-boot-starter-security</artifactId>
+            <version>${version.keycloak}</version>
+        </dependency> -->
+        <!-- <dependency>
+            <groupId>org.keycloak</groupId>
+            <artifactId>keycloak-authz-client</artifactId>
+            <version>${version.keycloak}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.keycloak</groupId>
+            <artifactId>keycloak-admin-client</artifactId>
+            <version>${version.keycloak}</version>
+        </dependency> -->
+        
+        
    </dependencies>

    <build>

--- a/provider/partition-ibm/src/main/java/org/opengroup/osdu/partition/provider/ibm/security/AuthorizationService.java
+++ b/provider/partition-ibm/src/main/java/org/opengroup/osdu/partition/provider/ibm/security/AuthorizationService.java
@@ -3,47 +3,52 @@

 package org.opengroup.osdu.partition.provider.ibm.security;

-import org.opengroup.osdu.core.common.entitlements.IEntitlementsAndCacheService;
+import org.keycloak.KeycloakPrincipal;
+import org.keycloak.KeycloakSecurityContext;
 import org.opengroup.osdu.core.common.model.http.AppException;
-import org.opengroup.osdu.core.common.model.http.DpsHeaders;
 import org.opengroup.osdu.partition.provider.interfaces.IAuthorizationService;
-import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.http.HttpStatus;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.stereotype.Component;
 import org.springframework.web.context.annotation.RequestScope;

+import lombok.extern.slf4j.Slf4j;
+
 @Component
 @RequestScope
+@Slf4j
 public class AuthorizationService implements IAuthorizationService {

-    public static final String PARTITION_ADMIN_ROLE = "service.partition.admin";
-
-    @Autowired
-    private IEntitlementsAndCacheService entitlementsAndCacheService;
-    
-    @Autowired
-    private DpsHeaders headers;
-
-    @Override
-    public boolean isDomainAdminServiceAccount() {
-        try {
-            return hasRole(PARTITION_ADMIN_ROLE);
-        }
-        catch (AppException e) {
-            throw e;
-        }
-        catch (Exception e) {
-            throw new AppException(HttpStatus.INTERNAL_SERVER_ERROR.value(), "Authentication Failure", e.getMessage(), e);
-        }
-        
-    }
-
-    private boolean hasRole(String requiredRole) {        
-        //headers.put(DpsHeaders.DATA_PARTITION_ID, PARTITION_NAME);
-        String user = entitlementsAndCacheService.authorize(headers, requiredRole);
-        headers.put(DpsHeaders.USER_EMAIL, user);
-        return true;
-    }
+	@Value("${service.partition.admin.user}")
+	String partitionAdminUser;
+
+
+	@Override
+	public boolean isDomainAdminServiceAccount() {
+		try {
+			final Authentication auth = SecurityContextHolder.getContext().getAuthentication();
+			@SuppressWarnings("unchecked")
+			KeycloakPrincipal<KeycloakSecurityContext> principal = (KeycloakPrincipal<KeycloakSecurityContext>) auth.getPrincipal();
+			String upn =  principal.getName();
+			log.info("email : "+upn);
+			if(upn.equals(partitionAdminUser)) {
+				return true;
+			} 
+		    else {
+				throw AppException.createUnauthorized("Unauthorized. The user is not Service Principal");
+			}
+				
+		}
+		catch (AppException e) {
+			throw e;
+		}
+		catch (Exception e) {
+			throw new AppException(HttpStatus.INTERNAL_SERVER_ERROR.value(), "Authentication Failure", e.getMessage(), e);
+		}
+
+	}

 }

--- a/provider/partition-ibm/src/main/java/org/opengroup/osdu/partition/provider/ibm/security/EntitlementsAndCacheServiceImpl.java
+++ b/provider/partition-ibm/src/main/java/org/opengroup/osdu/partition/provider/ibm/security/EntitlementsAndCacheServiceImpl.java
-/* Licensed Materials - Property of IBM              */
-/* (c) Copyright IBM Corp. 2020. All Rights Reserved.*/
-
-package org.opengroup.osdu.partition.provider.ibm.security;
-
-import org.apache.http.HttpStatus;
-import org.opengroup.osdu.core.common.model.entitlements.Acl;
-import org.opengroup.osdu.core.common.model.http.DpsHeaders;
-import org.opengroup.osdu.core.common.cache.ICache;
-import org.opengroup.osdu.core.common.model.storage.RecordMetadata;
-import org.opengroup.osdu.core.common.util.Crc32c;
-import org.opengroup.osdu.core.common.model.entitlements.EntitlementsException;
-import org.opengroup.osdu.core.common.model.entitlements.Groups;
-import org.opengroup.osdu.core.common.model.http.AppException;
-import org.opengroup.osdu.core.common.http.HttpResponse;
-import org.opengroup.osdu.core.common.entitlements.IEntitlementsFactory;
-import org.opengroup.osdu.core.common.entitlements.IEntitlementsService;
-import org.opengroup.osdu.core.common.logging.JaxRsDpsLog;
-import org.opengroup.osdu.core.common.entitlements.IEntitlementsAndCacheService;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.stereotype.Service;
-
-import java.util.ArrayList;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Set;
-
-@Service
-public class EntitlementsAndCacheServiceImpl implements IEntitlementsAndCacheService {
-
-	private static final String ERROR_REASON = "Access denied";
-	private static final String ERROR_MSG = "The user is not authorized to perform this action";
-
-	@Autowired
-	private IEntitlementsFactory factory;
-
-	@Autowired
-	private ICache<String, Groups> cache;
-
-	@Autowired
-	private JaxRsDpsLog logger;
-
-	@Override
-	public String authorize(DpsHeaders headers, String... roles) {
-		Groups groups = this.getGroups(headers);
-		if (groups.any(roles)) {
-			return groups.getDesId();
-		} else {
-			throw new AppException(HttpStatus.SC_UNAUTHORIZED, ERROR_REASON, ERROR_MSG);
-		}
-	}
-
-	@Override
-	public boolean isValidAcl(DpsHeaders headers, Set<String> acls) {
-		Groups groups = this.getGroups(headers);
-		if (groups.getGroups() == null || groups.getGroups().isEmpty()) {
-			this.logger.error("Error on getting groups for user: " + headers.getUserEmail());
-			throw new AppException(HttpStatus.SC_INTERNAL_SERVER_ERROR, "Unknown error",
-					"Unknown error happened when validating ACL");
-		}
-		String email = groups.getGroups().get(0).getEmail();
-		if (!email.matches("^[a-zA-Z0-9_+&*-]+(?:\\.[a-zA-Z0-9_+&*-]+)*@(?:[a-zA-Z0-9-]+\\.)+[a-zA-Z]{2,7}$")) {
-			this.logger.error("Email address is invalid for this group: " + groups.getGroups().get(0));
-			throw new AppException(HttpStatus.SC_INTERNAL_SERVER_ERROR, "Unknown error",
-					"Unknown error happened when validating ACL");
-		}
-		String domain = email.split("@")[1];
-		for (String acl : acls) {
-			if (!acl.split("@")[1].equalsIgnoreCase(domain)) {
-				return false;
-			}
-		}
-		return true;
-	}
-
-	@Override
-	public boolean hasOwnerAccess(DpsHeaders headers, String[] ownerList) {
-		Groups groups = this.getGroups(headers);
-		Set<String> aclList = new HashSet<>();
-
-		for (String owner : ownerList) {
-			aclList.add(owner.split("@")[0]);
-		}
-
-		String[] acls = new String[aclList.size()];
-		return groups.any(aclList.toArray(acls));
-	}
-
-	@Override
-	public List<RecordMetadata> hasValidAccess(List<RecordMetadata> recordsMetadata, DpsHeaders headers) {
-		Groups groups = this.getGroups(headers);
-		List<RecordMetadata> result = new ArrayList<>();
-
-		for (RecordMetadata recordMetadata : recordsMetadata) {
-			Acl storageAcl = recordMetadata.getAcl();
-			if (hasAccess(storageAcl, groups)) {
-				result.add(recordMetadata);
-			} else {
-				this.logger.warning("Post ACL check fails: " + recordMetadata.getId());
-			}
-		}
-
-		return result;
-	}
-
-	private boolean hasAccess(Acl storageAcl, Groups groups) {
-		String[] viewers = storageAcl.getViewers();
-		String[] owners = storageAcl.getOwners();
-		Set<String> aclList = new HashSet<>();
-
-		for (String viewer : viewers) {
-			aclList.add(viewer.split("@")[0]);
-		}
-		for (String owner : owners) {
-			aclList.add(owner.split("@")[0]);
-		}
-
-		String[] acls = new String[aclList.size()];
-		if (groups.any(aclList.toArray(acls))) {
-			return true;
-		} else {
-			return false;
-		}
-	}
-
-	protected Groups getGroups(DpsHeaders headers) {
-		String cacheKey = this.getGroupCacheKey(headers);
-		Groups groups = this.cache.get(cacheKey);
-
-		if (groups == null) {
-			IEntitlementsService service = this.factory.create(headers);
-			try {
-				groups = service.getGroups();
-				this.cache.put(cacheKey, groups);
-				this.logger.info("Entitlements cache miss");
-
-			} catch (EntitlementsException e) {
-				e.printStackTrace();
-				HttpResponse response = e.getHttpResponse();
-				this.logger.error(String.format("Error requesting entitlements service %s", response));
-				throw new AppException(e.getHttpResponse().getResponseCode(), ERROR_REASON, ERROR_MSG, e);
-			}
-		}
-
-		return groups;
-	}
-
-	protected static String getGroupCacheKey(DpsHeaders headers) {
-		String key = String.format("entitlement-groups:%s:%s", headers.getPartitionIdWithFallbackToAccountId(),
-				headers.getAuthorization());
-		return Crc32c.hashToBase64EncodedString(key);
-	}
-}
--- a/provider/partition-ibm/src/main/java/org/opengroup/osdu/partition/provider/ibm/security/EntitlementsClientFactory.java
+++ b/provider/partition-ibm/src/main/java/org/opengroup/osdu/partition/provider/ibm/security/EntitlementsClientFactory.java
-/* Licensed Materials - Property of IBM              */
-/* (c) Copyright IBM Corp. 2020. All Rights Reserved.*/
-
-package org.opengroup.osdu.partition.provider.ibm.security;
-
-import javax.inject.Inject;
-
-import org.opengroup.osdu.core.common.entitlements.EntitlementsAPIConfig;
-import org.opengroup.osdu.core.common.entitlements.EntitlementsFactory;
-import org.opengroup.osdu.core.common.entitlements.IEntitlementsFactory;
-import org.opengroup.osdu.core.common.http.json.HttpResponseBodyMapper;
-import org.springframework.beans.factory.annotation.Value;
-import org.springframework.beans.factory.config.AbstractFactoryBean;
-import org.springframework.stereotype.Component;
-
-@Component
-public class EntitlementsClientFactory extends AbstractFactoryBean<IEntitlementsFactory> {
-
-	@Value("${AUTHORIZE_API}")
-	private String AUTHORIZE_API;
-
-	@Value("${AUTHORIZE_API_KEY:}")
-	private String AUTHORIZE_API_KEY;
-
-	@Inject
-	private HttpResponseBodyMapper httpResponseBodyMapper;
-
-	@Override
-	protected IEntitlementsFactory createInstance() throws Exception {
-
-		return new EntitlementsFactory(EntitlementsAPIConfig
-				.builder()
-				.rootUrl(AUTHORIZE_API)
-				.apiKey(AUTHORIZE_API_KEY)
-				.build(),
-				httpResponseBodyMapper);
-	}
-
-	@Override
-	public Class<?> getObjectType() {
-		return IEntitlementsFactory.class;
-	}
-}
\ No newline at end of file
--- a/provider/partition-ibm/src/main/java/org/opengroup/osdu/partition/provider/ibm/security/KeycloakSecurityConfig.java
+++ b/provider/partition-ibm/src/main/java/org/opengroup/osdu/partition/provider/ibm/security/KeycloakSecurityConfig.java
+/* Licensed Materials - Property of IBM              */
+/* (c) Copyright IBM Corp. 2020. All Rights Reserved.*/
+
+package org.opengroup.osdu.partition.provider.ibm.security;
+
+import org.keycloak.adapters.KeycloakConfigResolver;
+import org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver;
+import org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider;
+import org.keycloak.adapters.springsecurity.config.KeycloakWebSecurityConfigurerAdapter;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.core.authority.mapping.SimpleAuthorityMapper;
+import org.springframework.security.core.session.SessionRegistryImpl;
+import org.springframework.security.web.authentication.session.NullAuthenticatedSessionStrategy;
+import org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy;
+import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
+
+@Configuration
+@EnableWebSecurity
+@EnableGlobalMethodSecurity(prePostEnabled = true, jsr250Enabled = true)
+public class KeycloakSecurityConfig extends KeycloakWebSecurityConfigurerAdapter {
+
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+        super.configure(http);
+        http.authorizeRequests()
+        .anyRequest().authenticated().and().oauth2ResourceServer().jwt();
+           /* .anyRequest()
+            .permitAll();*/
+        http.csrf().disable();
+        http.headers().frameOptions().disable();
+    }
+
+    @Autowired
+    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
+        KeycloakAuthenticationProvider keycloakAuthenticationProvider = keycloakAuthenticationProvider();
+        keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(new SimpleAuthorityMapper());
+        auth.authenticationProvider(keycloakAuthenticationProvider);
+    }
+
+    @Bean
+    @Override
+    protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
+        return new NullAuthenticatedSessionStrategy();
+    }
+
+    @Bean
+    public KeycloakConfigResolver KeycloakConfigResolver() {
+        return new KeycloakSpringBootConfigResolver();
+    }
+}
\ No newline at end of file
--- a/provider/partition-ibm/src/main/java/org/opengroup/osdu/partition/provider/ibm/security/SecurityConfigIBM.java
+++ b/provider/partition-ibm/src/main/java/org/opengroup/osdu/partition/provider/ibm/security/SecurityConfigIBM.java
-/* Licensed Materials - Property of IBM              */
-/* (c) Copyright IBM Corp. 2020. All Rights Reserved.*/
-
-package org.opengroup.osdu.partition.provider.ibm.security;
-
-import org.springframework.context.annotation.Configuration;
-import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
-import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
-
-@EnableWebSecurity
-@Configuration
-@EnableGlobalMethodSecurity(prePostEnabled = true)
-public class SecurityConfigIBM extends WebSecurityConfigurerAdapter {
-	@Override
-	protected void configure(HttpSecurity http) throws Exception {
-		http.csrf().disable().authorizeRequests()
-				.antMatchers("_ah/liveness_check",
-						"/_ah/readiness_check",
-						"/swagger-resources/**",
-						"/configuration/security",  
-						"/webjars/**")
-				.permitAll().anyRequest().authenticated().and().oauth2ResourceServer().jwt();
-	}
-}
\ No newline at end of file
--- a/provider/partition-ibm/src/main/resources/application.properties
+++ b/provider/partition-ibm/src/main/resources/application.properties
@@ -26,3 +26,33 @@ ibm.db.password=TODO

 spring.security.oauth2.resourceserver.jwt.jwk-set-uri=TODO

+
+##Keycloak for partition service
+keycloak.realm=TODO
+keycloak.auth-server-url=TODO
+keycloak.resource=TODO
+keycloak.credentials.secret=TODO
+keycloak.ssl-required=TODO
+keycloak.bearer-only=true
+keycloak.use-resource-role-mappings=false
+partition.role=partition-admin-role
+#added above property as '[]' are not allowed in openshift env variables
+keycloak.securityConstraints[0].authRoles[0]=${partition.role}
+#keycloak.securityConstraints[0].securityCollections[0].name=protected
+#api pattern for role validation
+partition.api.pattern=/*
+keycloak.securityConstraints[0].securityCollections[0].patterns[0]=${partition.api.pattern}
+keycloak.principal-attribute=email
+##SA check
+service.partition.admin.user=partition-service-admin@in.ibm.com
+#SERVICE_DOMAIN_NAME=ibm.com
+
+#No-use-but mandatory properties for os-core-lib-ibm 9.0.
+#Token generation for partition service call
+partition.keycloak.user=TODO
+partition.keycloak.password=TODO
+partition.keycloak.url=TODO
+partition.keycloak.realm=TODO
+partition.keycloak.client_id=TODO
+partition.keycloak.client_secert=TODO
+
--- a/testing/README.md
+++ b/testing/README.md
-Copyright 2017-2020, Schlumberger
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-     http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-
 # Partition service integration tests

-Partition integration tests are refactored so that the business logic for integration tests resides in the `partition-test-core` module and provider specific logic and execution steps reside in provider module (e.g. `partition-test-azure`). To run the integration tests, the core module is built first and then the provider module is executed. Please read further to know more details.
+Partition integration tests are refactored so that the business logic for integration tests resides in the `partition-test-core` module and provider specific logic and execution steps reside in provider module. To run the integration tests, the core module is built first and then the provider module is executed. Please read further to know more details.

 ### Dependencies needed to run the integration tests 
 * JDK8
 * Maven
-* Azure Devops access to slb-des-ext-collaboration organization. You need to generate a PAT that can access dependencies held in the Azure artifacts
 * Values for the following environment variables in Config.java (in `partition-test-core` module)
  
  ```
@@ -27,9 +12,7 @@ Partition integration tests are refactored so that the business logic for integr
   PARTITION_BASE_URL (service base URL, required only if running integration tests against a cloud endpoint)
   CLIENT_TENANT (name of the client partition, required only if running integration tests against a cloud endpoint) (e.g. 'common')
   MY_TENANT(name of the OSDU partition, required only if running integration tests against a cloud endpoint) (e.g. 'opendes')
+
   ```

  Above variables should be configured in the release pipeline to run integration tests. You should also replace them with proper values if you wish to run tests locally.
-### Commands to run tests
-* Integration tests are refactored into two pieces: Core and Provider. Core contains business logic for tests and is a dependency for executing the tests from provider module. To build the core module, simply navigate to `partition-test-core` directory and run `mvn clean install`. This will build the core module
-* Next, to execute the integration tests, navigate to the provider module and execute `mvn test`
--- a/testing/partition-test-ibm/src/test/java/org/opengroup/osdu/partition/api/TestCreatePartition.java
+++ b/testing/partition-test-ibm/src/test/java/org/opengroup/osdu/partition/api/TestCreatePartition.java
@@ -3,11 +3,15 @@

 package org.opengroup.osdu.partition.api;

+import static org.junit.Assert.assertEquals;
+
 import org.junit.After;
 import org.junit.Before;
 import org.junit.Test;
 import org.opengroup.osdu.partition.util.IBMTestUtils;

+import com.sun.jersey.api.client.ClientResponse;
+
 public class TestCreatePartition extends CreatePartitionTest {

    @Before
@@ -22,4 +26,22 @@ public class TestCreatePartition extends CreatePartitionTest {
        this.testUtils = null;
    }

+    @Test
+	@Override
+	public void should_return401_when_noAccessToken() throws Exception {
+		// Springboot Keycloak gives 403 when token does not have required roles
+    	 ClientResponse response = descriptor.runOnCustomerTenant(getId(), testUtils.getNoAccessToken());
+         assertEquals(error(response.getEntity(String.class)), 403, response.getStatus());
+	}
+
+    @Test
+	@Override
+	public void should_return401_when_accessingWithCredentialsWithoutPermission() throws Exception {
+		// Partition-ibm service does not required partition id
+    	// Here, no access token used hence checking with 403 response code in assertion statement  
+    	ClientResponse response = descriptor.run(getId(), testUtils.getNoAccessToken());
+        assertEquals(403, response.getStatus());
+	}
+       
+
 }
--- a/testing/partition-test-ibm/src/test/java/org/opengroup/osdu/partition/api/TestDeletePartition.java
+++ b/testing/partition-test-ibm/src/test/java/org/opengroup/osdu/partition/api/TestDeletePartition.java
@@ -3,11 +3,15 @@

 package org.opengroup.osdu.partition.api;

+import static org.junit.Assert.assertEquals;
+
 import org.junit.After;
 import org.junit.Before;
 import org.junit.Test;
 import org.opengroup.osdu.partition.util.IBMTestUtils;

+import com.sun.jersey.api.client.ClientResponse;
+
 public class TestDeletePartition extends DeletePartitionTest {
    
    @Before
@@ -22,4 +26,20 @@ public class TestDeletePartition extends DeletePartitionTest {
        this.testUtils = null;
    }

+    @Test
+	@Override
+	public void should_return401_when_noAccessToken() throws Exception {
+		// Springboot Keycloak gives 403 when token does not have required roles
+    	 ClientResponse response = descriptor.runOnCustomerTenant(getId(), testUtils.getNoAccessToken());
+         assertEquals(error(response.getEntity(String.class)), 403, response.getStatus());
+	}
+
+    @Test
+	@Override
+	public void should_return401_when_accessingWithCredentialsWithoutPermission() throws Exception {
+		// Partition-ibm service does not required partition id
+    	// Here, no access token used hence checking with 403 response code in assertion statement  
+    	ClientResponse response = descriptor.run(getId(), testUtils.getNoAccessToken());
+        assertEquals(403, response.getStatus());
+	}
 }
--- a/testing/partition-test-ibm/src/test/java/org/opengroup/osdu/partition/api/TestGetPartitionById.java
+++ b/testing/partition-test-ibm/src/test/java/org/opengroup/osdu/partition/api/TestGetPartitionById.java
@@ -3,11 +3,15 @@

 package org.opengroup.osdu.partition.api;

+import static org.junit.Assert.assertEquals;
+
 import org.junit.After;
 import org.junit.Before;
 import org.junit.Test;
 import org.opengroup.osdu.partition.util.IBMTestUtils;

+import com.sun.jersey.api.client.ClientResponse;
+
 public class TestGetPartitionById extends GetPartitionByIdApitTest {

    @Before
@@ -21,5 +25,20 @@ public class TestGetPartitionById extends GetPartitionByIdApitTest {
    public void tearDown() {
        this.testUtils = null;
    }
+    @Test
+	@Override
+	public void should_return401_when_noAccessToken() throws Exception {
+		// Springboot Keycloak gives 403 when token does not have required roles
+    	 ClientResponse response = descriptor.runOnCustomerTenant(getId(), testUtils.getNoAccessToken());
+         assertEquals(error(response.getEntity(String.class)), 403, response.getStatus());
+	}

+    @Test
+	@Override
+	public void should_return401_when_accessingWithCredentialsWithoutPermission() throws Exception {
+		// Partition-ibm service does not required partition id
+    	// Here, no access token used hence checking with 403 response code in assertion statement  
+    	ClientResponse response = descriptor.run(getId(), testUtils.getNoAccessToken());
+        assertEquals(403, response.getStatus());
+	}
 }
--- a/testing/partition-test-ibm/src/test/java/org/opengroup/osdu/partition/api/TestListPartitions.java
+++ b/testing/partition-test-ibm/src/test/java/org/opengroup/osdu/partition/api/TestListPartitions.java
@@ -3,11 +3,15 @@

 package org.opengroup.osdu.partition.api;

+import static org.junit.Assert.assertEquals;
+
 import org.junit.After;
 import org.junit.Before;
 import org.junit.Test;
 import org.opengroup.osdu.partition.util.IBMTestUtils;

+import com.sun.jersey.api.client.ClientResponse;
+
 public class TestListPartitions extends ListPartitionsApitTest {

    @Before
@@ -21,5 +25,20 @@ public class TestListPartitions extends ListPartitionsApitTest {
    public void tearDown() {
        this.testUtils = null;
    }
+    @Test
+	@Override
+	public void should_return401_when_noAccessToken() throws Exception {
+		// Springboot Keycloak gives 403 when token does not have required roles
+    	 ClientResponse response = descriptor.runOnCustomerTenant(getId(), testUtils.getNoAccessToken());
+         assertEquals(error(response.getEntity(String.class)), 403, response.getStatus());
+	}

+    @Test
+	@Override
+	public void should_return401_when_accessingWithCredentialsWithoutPermission() throws Exception {
+		// Partition-ibm service does not required partition id
+    	// Here, no access token used hence checking with 403 response code in assertion statement  
+    	ClientResponse response = descriptor.run(getId(), testUtils.getNoAccessToken());
+        assertEquals(403, response.getStatus());
+	}
 }
--- a/testing/partition-test-ibm/src/test/java/org/opengroup/osdu/partition/api/TestUpdatePartition.java
+++ b/testing/partition-test-ibm/src/test/java/org/opengroup/osdu/partition/api/TestUpdatePartition.java
@@ -3,11 +3,15 @@

 package org.opengroup.osdu.partition.api;

+import static org.junit.Assert.assertEquals;
+
 import org.junit.After;
 import org.junit.Before;
 import org.junit.Test;
 import org.opengroup.osdu.partition.util.IBMTestUtils;

+import com.sun.jersey.api.client.ClientResponse;
+
 public class TestUpdatePartition extends UpdatePartitionTest {

    @Before
@@ -21,5 +25,20 @@ public class TestUpdatePartition extends UpdatePartitionTest {
    public void tearDown() {
        this.testUtils = null;
    }
+    @Test
+	@Override
+	public void should_return401_when_noAccessToken() throws Exception {
+		// Springboot Keycloak gives 403 when token does not have required roles
+    	 ClientResponse response = descriptor.runOnCustomerTenant(getId(), testUtils.getNoAccessToken());
+         assertEquals(error(response.getEntity(String.class)), 403, response.getStatus());
+	}

+    @Test
+	@Override
+	public void should_return401_when_accessingWithCredentialsWithoutPermission() throws Exception {
+		// Partition-ibm service does not required partition id
+    	// Here, no access token used hence checking with 403 response code in assertion statement  
+    	ClientResponse response = descriptor.run(getId(), testUtils.getNoAccessToken());
+        assertEquals(403, response.getStatus());
+	}
 }