Commit 8b024004 authored by Matt Wise's avatar Matt Wise
Browse files

Merge remote-tracking branch 'origin/master' into dev

parents 70c640ee fffc7019
......@@ -7,7 +7,7 @@ variables:
AZURE_SERVICE: partition
AZURE_BUILD_SUBDIR: provider/partition-azure
AZURE_TEST_SUBDIR: testing/partition-test-azure
IBM_BUILD_SUBDIR: provider/partition-ibm
IBM_INT_TEST_SUBDIR: testing/partition-test-ibm
......@@ -15,7 +15,7 @@ variables:
OSDU_GCP_SERVICE: partition
OSDU_GCP_VENDOR: gcp
OSDU_GCP_APPLICATION_NAME: os-partition
OSDU_GCP_ENV_VARS: AUTHORIZE_API=$OSDU_GCP_AUTHORIZE_API,GOOGLE_CLOUD_PROJECT=$OSDU_GCP_PROJECT
OSDU_GCP_ENV_VARS: AUTHORIZE_API=$OSDU_GCP_AUTHORIZE_API,GOOGLE_CLOUD_PROJECT=$OSDU_GCP_PROJECT,GOOGLE_AUDIENCES=$GOOGLE_AUDIENCE,PARTITION_ADMIN_ACCOUNT=$OSDU_GCP_SERVICE_ACCOUNT
MAVEN_PROJECTS: "-pl partition-core,provider/partition-gcp"
OSDU_GCP_TEST_SUBDIR: testing/$OSDU_GCP_SERVICE-test-$OSDU_GCP_VENDOR
......@@ -32,19 +32,18 @@ include:
- project: "osdu/platform/ci-cd-pipelines"
file: "scanners/fossa-maven.yml"
- project: 'osdu/platform/ci-cd-pipelines'
file: 'cloud-providers/aws.yml'
- project: "osdu/platform/ci-cd-pipelines"
file: "cloud-providers/aws.yml"
- project: "osdu/platform/ci-cd-pipelines"
file: "cloud-providers/azure.yml"
- project: "osdu/platform/ci-cd-pipelines"
file: "cloud-providers/ibm.yml"
- project: "osdu/platform/ci-cd-pipelines"
file: 'cloud-providers/osdu-gcp-cloudrun.yml'
file: "cloud-providers/osdu-gcp-cloudrun.yml"
osdu-gcp-test:
variables:
CLIENT_TENANT: osdu
......@@ -348,6 +348,7 @@ The following software have components provided under the terms of this license:
- Java Native Access (from https://github.com/java-native-access/jna)
- Java Native Access Platform (from https://github.com/java-native-access/jna)
- Javassist (from http://www.javassist.org/)
- Javassist (from http://www.javassist.org/)
- Jetty Server (from )
- Jetty Utilities (from )
- Joda-Time (from http://www.joda.org/joda-time/)
......@@ -358,6 +359,15 @@ The following software have components provided under the terms of this license:
- KeePassJava2 :: KDB (from https://repo1.maven.org/maven2/org/linguafranca/pwdb/KeePassJava2-kdb)
- KeePassJava2 :: KDBX (from https://repo1.maven.org/maven2/org/linguafranca/pwdb/KeePassJava2-kdbx)
- KeePassJava2 :: Simple (from https://repo1.maven.org/maven2/org/linguafranca/pwdb/KeePassJava2-simple)
- KeyCloak Authz: Client API (from )
- Keycloak :: Spring :: Boot :: Default :: Starter (from )
- Keycloak Adapter Core (from )
- Keycloak Adapter SPI (from )
- Keycloak Common (from )
- Keycloak Core (from )
- Keycloak Spring Boot 2 Integration (from )
- Keycloak Spring Boot Adapter Core (from )
- Keycloak Spring Security Integration (from )
- Logback Contrib :: JSON :: Classic (from )
- Logback Contrib :: JSON :: Core (from )
- Logback Contrib :: Jackson (from )
......@@ -561,6 +571,7 @@ The following software have components provided under the terms of this license:
- rest-high-level (from https://github.com/elastic/elasticsearch)
- rxjava (from https://github.com/ReactiveX/RxJava)
- secure-sm (from https://github.com/elastic/elasticsearch)
- spring-boot-container-bundle (from )
- spring-security-config (from http://spring.io/spring-security)
- spring-security-core (from http://spring.io/spring-security)
- spring-security-oauth2-client (from http://spring.io/spring-security)
......@@ -597,6 +608,7 @@ The following software have components provided under the terms of this license:
- GAX (Google Api eXtensions) (from https://github.com/googleapis)
- Hamcrest (from http://hamcrest.org/JavaHamcrest/)
- Hamcrest Core (from http://hamcrest.org/)
- HdrHistogram (from http://hdrhistogram.github.io/HdrHistogram/)
- Lucene Common Analyzers (from )
- Plexus :: Default Container (from )
- Plexus Common Utilities (from http://plexus.codehaus.org/plexus-utils)
......@@ -625,8 +637,10 @@ The following software have components provided under the terms of this license:
- Google Auth Library for Java - OAuth2 HTTP (from )
- Hamcrest (from http://hamcrest.org/JavaHamcrest/)
- Hamcrest Core (from http://hamcrest.org/)
- HdrHistogram (from http://hdrhistogram.github.io/HdrHistogram/)
- JDOM (from http://www.jdom.org)
- JSch (from http://www.jcraft.com/jsch/)
- JavaBeans Activation Framework (from )
- JavaBeans Activation Framework API jar (from )
- Lucene Common Analyzers (from )
- Lucene Core (from )
......@@ -795,6 +809,7 @@ The following software have components provided under the terms of this license:
- Java Native Access (from https://github.com/java-native-access/jna)
- Java Native Access Platform (from https://github.com/java-native-access/jna)
- Javassist (from http://www.javassist.org/)
- Javassist (from http://www.javassist.org/)
- Logback Classic Module (from )
- Logback Contrib :: JSON :: Classic (from )
- Logback Contrib :: JSON :: Core (from )
......@@ -811,6 +826,7 @@ LGPL-2.1-or-later
========================================================================
The following software have components provided under the terms of this license:
- Javassist (from http://www.javassist.org/)
- SnakeYAML (from http://www.snakeyaml.org)
========================================================================
......@@ -835,6 +851,7 @@ The following software have components provided under the terms of this license:
- Azure Java Client Runtime for AutoRest (from https://github.com/Azure/autorest-clientruntime-for-java)
- Azure Metrics Spring Boot Starter (from https://github.com/Microsoft/azure-spring-boot)
- Azure Spring Boot AutoConfigure (from https://github.com/Microsoft/azure-spring-boot)
- Bouncy Castle Provider (from http://www.bouncycastle.org/java.html)
- Checker Qual (from https://checkerframework.org)
- Extensions on Apache Proton-J library (from https://github.com/Azure/qpid-proton-j-extensions)
- JOpt Simple (from http://pholser.github.io/jopt-simple)
......@@ -886,12 +903,14 @@ The following software have components provided under the terms of this license:
- Cobertura code coverage (from http://cobertura.sourceforge.net)
- Javassist (from http://www.javassist.org/)
- Javassist (from http://www.javassist.org/)
========================================================================
MPL-2.0
========================================================================
The following software have components provided under the terms of this license:
- Javassist (from http://www.javassist.org/)
- Javassist (from http://www.javassist.org/)
- OkHttp (from )
......@@ -900,6 +919,7 @@ PHP-3.01
========================================================================
The following software have components provided under the terms of this license:
- JavaBeans Activation Framework (from )
- JavaBeans Activation Framework API jar (from )
- jakarta.xml.bind-api (from )
......@@ -952,9 +972,13 @@ The following software have components provided under the terms of this license:
- AWS Java SDK :: SDK Core (from https://aws.amazon.com/sdkforjava)
- AWS SDK for Java - Models (from https://aws.amazon.com/sdkforjava)
- Asynchronous Http Client (from )
- Bouncy Castle PKIX, CMS, EAC, TSP, PKCS, OCSP, CMP, and CRMF APIs (from http://www.bouncycastle.org/java.html)
- Bouncy Castle Provider (from http://www.bouncycastle.org/java.html)
- Guava: Google Core Libraries for Java (from https://github.com/google/guava.git)
- HdrHistogram (from http://hdrhistogram.github.io/HdrHistogram/)
- HdrHistogram (from http://hdrhistogram.github.io/HdrHistogram/)
- Joda-Time (from http://www.joda.org/joda-time/)
- Keycloak Common (from )
- LatencyUtils (from http://latencyutils.github.io/LatencyUtils/)
- Microsoft Application Insights Java SDK Core (from https://github.com/Microsoft/ApplicationInsights-Java)
- Microsoft Azure SDK for SQL API of Azure Cosmos DB Service (from https://github.com/Azure/azure-sdk-for-java)
......@@ -972,10 +996,13 @@ unknown
========================================================================
The following software have components provided under the terms of this license:
- Bouncy Castle PKIX, CMS, EAC, TSP, PKCS, OCSP, CMP, and CRMF APIs (from http://www.bouncycastle.org/java.html)
- Bouncy Castle Provider (from http://www.bouncycastle.org/java.html)
- Byte Buddy (without dependencies) (from )
- JUnit (from http://junit.org)
- JUnit (from http://junit.org)
- JUnit Jupiter (Aggregator) (from https://junit.org/junit5/)
- JavaBeans Activation Framework (from )
- JavaBeans Activation Framework API jar (from )
- JavaMail API (from )
- Servlet Specification 2.5 API (from )
......
......@@ -63,6 +63,8 @@ spec:
value: "80"
- name: ACCEPT_HTTP # TEMPORARY UNTIL HTTPS
value: "true"
- name: partition_spring_logging_level
value: INFO
- name: KEYVAULT_URI
valueFrom:
configMapKeyRef:
......
LOG_PREFIX=partition
server.servlet.contextPath=/api/partition/v1
logging.level.org.springframework.web=DEBUG
logging.level.org.springframework.web=${partition_spring_logging_level:INFO}
JAVA_OPTS=-Dserver.port=80
server.port=8080
springfox.documentation.swagger.v2.path=/api-docs
......
......@@ -21,6 +21,8 @@ In order to run the service locally or remotely, you will need to have the follo
| `SERVER_SERVLET_CONTEXPATH` | `/api/partition/v1` | Servlet context path | no | - |
| `AUTHORIZE_API` | ex `https://entitlements.com/entitlements/v1` | Entitlements API endpoint | no | output of infrastructure deployment |
| `GOOGLE_CLOUD_PROJECT` | ex `osdu-cicd-epam` | Google Cloud Project Id| no | output of infrastructure deployment |
| `GOOGLE_AUDIENCES` | ex `*****.apps.googleusercontent.com` | Client ID for getting access to cloud resources | yes | https://console.cloud.google.com/apis/credentials |
| `PARTITION_ADMIN_ACCOUNT` | ex `admin@domen.iam.gserviceaccount.com` | Partition Admin account email | no | - |
| `GOOGLE_APPLICATION_CREDENTIALS` | ex `/path/to/directory/service-key.json` | Service account credentials, you only need this if running locally | yes | https://console.cloud.google.com/iam-admin/serviceaccounts |
### Run Locally
......@@ -115,14 +117,9 @@ You will need to have the following environment variables defined.
| `PARTITION_BASE_URL` | ex `http://localhost:8080/` | service base URL | yes | |
| `CLIENT_TENANT` | ex `opendes` | name of the client partition | yes | |
| `MY_TENANT` | ex `opendes` | name of the OSDU partition | yes | |
| `INTEGRATION_TESTER` | `********` | Service account for API calls. Note: this user must have entitlements configured already. Base64 encoded string | yes | https://console.cloud.google.com/iam-admin/serviceaccounts |
| `INTEGRATION_TESTER` | `********` | Service account for API calls. Note: this user must be `PARTITION_ADMIN_ACCOUNT` | yes | https://console.cloud.google.com/iam-admin/serviceaccounts |
| `NO_DATA_ACCESS_TESTER` | `********` | Service account base64 encoded string without data access | yes | https://console.cloud.google.com/iam-admin/serviceaccounts |
| `INTEGRATION_TEST_AUDIENCE` | `********` | client application ID | yes | https://console.cloud.google.com/apis/credentials |
**Entitlements configuration for integration accounts**
| INTEGRATION_TESTER | NO_DATA_ACCESS_TESTER |
| --- | --- |
| users<br/>service.entitlements.user<br/>service.partition.admin<br/>data.test1<br/>data.integration.test<br/>users@{tenant1}@{domain}.com | users <br/>service.entitlements.user<br/> |
Execute following command to build code and run all the integration tests:
......
......@@ -28,9 +28,11 @@ import org.springframework.context.annotation.Configuration;
@Setter
public class PropertiesConfiguration {
private String authorizeApi;
private String googleAudiences;
private int cacheExpiration;
private String partitionAdminAccount;
private int cacheMaxSize;
private int cacheExpiration;
private int cacheMaxSize;
}
......@@ -17,14 +17,19 @@
package org.opengroup.osdu.partition.provider.gcp.security;
import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
import com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier;
import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport;
import com.google.api.client.json.jackson2.JacksonFactory;
import java.util.Collections;
import java.util.Objects;
import lombok.RequiredArgsConstructor;
import lombok.extern.slf4j.Slf4j;
import org.opengroup.osdu.core.common.model.entitlements.AuthorizationResponse;
import org.apache.commons.lang3.StringUtils;
import org.opengroup.osdu.core.common.model.http.AppException;
import org.opengroup.osdu.core.common.model.http.DpsHeaders;
import org.opengroup.osdu.partition.provider.gcp.config.PropertiesConfiguration;
import org.opengroup.osdu.partition.provider.interfaces.IAuthorizationService;
import org.springframework.http.HttpStatus;
import org.springframework.stereotype.Component;
import org.springframework.web.context.annotation.RequestScope;
......@@ -34,23 +39,47 @@ import org.springframework.web.context.annotation.RequestScope;
@RequiredArgsConstructor
public class AuthorizationService implements IAuthorizationService {
private static final String PARTITION_ADMIN_ROLE = "service.partition.admin";
private final PropertiesConfiguration configuration;
private final DpsHeaders headers;
private final DpsHeaders headers;
private final org.opengroup.osdu.core.common.provider.interfaces.IAuthorizationService authorizationServiceImpl;
@Override
public boolean isDomainAdminServiceAccount() {
if (Objects.isNull(headers.getAuthorization()) || headers.getAuthorization().isEmpty()) {
throw AppException.createUnauthorized("No JWT token. Access is Forbidden");
}
try {
GoogleIdTokenVerifier verifier =
new GoogleIdTokenVerifier.Builder(
GoogleNetHttpTransport.newTrustedTransport(),
JacksonFactory.getDefaultInstance())
.setAudience(Collections.singleton(configuration.getGoogleAudiences()))
.build();
@Override
public boolean isDomainAdminServiceAccount() {
try {
AuthorizationResponse authorizationResponse = authorizationServiceImpl
.authorizeAny(headers, PARTITION_ADMIN_ROLE);
} catch (AppException e) {
throw e;
} catch (Exception e) {
throw new AppException(HttpStatus.INTERNAL_SERVER_ERROR.value(), "Authentication Failure",
e.getMessage(), e);
String authorization = headers.getAuthorization().replace("Bearer ", "");
GoogleIdToken googleIdToken = verifier.verify(authorization);
if (Objects.isNull(googleIdToken)) {
log.warn("Not valid token provided");
throw AppException.createUnauthorized("Unauthorized. The JWT token could not be validated");
}
String email = googleIdToken.getPayload().getEmail();
String partitionAdminAccount = configuration.getPartitionAdminAccount();
if (Objects.nonNull(partitionAdminAccount) && !partitionAdminAccount.isEmpty()) {
if (email.equals(partitionAdminAccount)) {
return true;
} else {
throw AppException.createUnauthorized("Unauthorized. The user is not Service Principal");
}
} else {
if (StringUtils.endsWithIgnoreCase(email, "gserviceaccount.com")) {
return true;
} else {
throw AppException.createUnauthorized("Unauthorized. The user is not Service Principal");
}
}
} catch (Exception e) {
log.warn("Not valid or expired token provided");
throw AppException.createUnauthorized("Unauthorized. The JWT token could not be validated");
}
}
return true;
}
}
/*
Copyright 2002-2021 Google LLC
Copyright 2002-2021 EPAM Systems, Inc
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package org.opengroup.osdu.partition.provider.gcp.security;
import lombok.RequiredArgsConstructor;
import javax.inject.Inject;
import org.opengroup.osdu.core.common.entitlements.EntitlementsAPIConfig;
import org.opengroup.osdu.core.common.entitlements.EntitlementsFactory;
import org.opengroup.osdu.core.common.entitlements.IEntitlementsFactory;
import org.opengroup.osdu.core.common.http.json.HttpResponseBodyMapper;
import org.opengroup.osdu.partition.provider.gcp.config.PropertiesConfiguration;
import org.springframework.beans.factory.config.AbstractFactoryBean;
import org.springframework.stereotype.Component;
@Component
@RequiredArgsConstructor
public class EntitlementsClientFactory extends AbstractFactoryBean<IEntitlementsFactory> {
private final PropertiesConfiguration properties;
@Inject
private HttpResponseBodyMapper httpResponseBodyMapper;
@Override
protected IEntitlementsFactory createInstance() throws Exception {
return new EntitlementsFactory(EntitlementsAPIConfig
.builder()
.rootUrl(properties.getAuthorizeApi())
.build(),
httpResponseBodyMapper);
}
@Override
public Class<?> getObjectType() {
return IEntitlementsFactory.class;
}
}
......@@ -17,6 +17,8 @@ kms-key=searchService
KEY_RING=${key-ring}
KMS_KEY=${kms-key}
GOOGLE_CLOUD_PROJECT=${google-cloud-project}
google-audiences=123.apps.googleusercontent.com
partition-admin-account=admin@domen.iam.gserviceaccount.com
#logging configuration
logging.level.org.springframework.web=${LOG_LEVEL:DEBUG}
......
......@@ -20,20 +20,15 @@
<packaging>jar</packaging>
<properties>
<aws.version>1.11.637</aws.version>
<version.keycloak>9.0.2</version.keycloak>
</properties>
<dependencies>
<!-- Internal packages -->
<dependency>
<groupId>org.opengroup.osdu</groupId>
<artifactId>os-core-common</artifactId>
<version>0.3.28</version>
</dependency>
<dependency>
<groupId>org.opengroup.osdu</groupId>
<artifactId>os-core-lib-ibm</artifactId>
<version>0.7.0</version>
<version>0.8.2</version>
</dependency>
<dependency>
<groupId>org.opengroup.osdu</groupId>
......@@ -43,10 +38,10 @@
<!-- Third party Apache 2.0 license packages -->
<dependency>
<!-- <dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
</dependency> -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-actuator</artifactId>
......@@ -119,6 +114,31 @@
<artifactId>spring-security-test</artifactId>
<scope>test</scope>
</dependency>
<!-- Keycloak -->
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-spring-boot-starter</artifactId>
<version>${version.keycloak}</version>
</dependency>
<!-- <dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-spring-boot-starter-security</artifactId>
<version>${version.keycloak}</version>
</dependency> -->
<!-- <dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-authz-client</artifactId>
<version>${version.keycloak}</version>
</dependency>
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-admin-client</artifactId>
<version>${version.keycloak}</version>
</dependency> -->
</dependencies>
<build>
......
......@@ -3,47 +3,52 @@
package org.opengroup.osdu.partition.provider.ibm.security;
import org.opengroup.osdu.core.common.entitlements.IEntitlementsAndCacheService;
import org.keycloak.KeycloakPrincipal;
import org.keycloak.KeycloakSecurityContext;
import org.opengroup.osdu.core.common.model.http.AppException;
import org.opengroup.osdu.core.common.model.http.DpsHeaders;
import org.opengroup.osdu.partition.provider.interfaces.IAuthorizationService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.http.HttpStatus;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Component;
import org.springframework.web.context.annotation.RequestScope;
import lombok.extern.slf4j.Slf4j;
@Component
@RequestScope
@Slf4j
public class AuthorizationService implements IAuthorizationService {
public static final String PARTITION_ADMIN_ROLE = "service.partition.admin";
@Autowired
private IEntitlementsAndCacheService entitlementsAndCacheService;
@Autowired
private DpsHeaders headers;
@Override
public boolean isDomainAdminServiceAccount() {
try {
return hasRole(PARTITION_ADMIN_ROLE);
}
catch (AppException e) {
throw e;
}
catch (Exception e) {
throw new AppException(HttpStatus.INTERNAL_SERVER_ERROR.value(), "Authentication Failure", e.getMessage(), e);
}
}
private boolean hasRole(String requiredRole) {
//headers.put(DpsHeaders.DATA_PARTITION_ID, PARTITION_NAME);
String user = entitlementsAndCacheService.authorize(headers, requiredRole);
headers.put(DpsHeaders.USER_EMAIL, user);
return true;
}
@Value("${service.partition.admin.user}")
String partitionAdminUser;
@Override
public boolean isDomainAdminServiceAccount() {
try {
final Authentication auth = SecurityContextHolder.getContext().getAuthentication();
@SuppressWarnings("unchecked")
KeycloakPrincipal<KeycloakSecurityContext> principal = (KeycloakPrincipal<KeycloakSecurityContext>) auth.getPrincipal();
String upn = principal.getName();
log.info("email : "+upn);
if(upn.equals(partitionAdminUser)) {
return true;
}
else {
throw AppException.createUnauthorized("Unauthorized. The user is not Service Principal");
}
}
catch (AppException e) {
throw e;
}
catch (Exception e) {
throw new AppException(HttpStatus.INTERNAL_SERVER_ERROR.value(), "Authentication Failure", e.getMessage(), e);
}
}
}
/* Licensed Materials - Property of IBM */
/* (c) Copyright IBM Corp. 2020. All Rights Reserved.*/
package org.opengroup.osdu.partition.provider.ibm.security;
import org.apache.http.HttpStatus;
import org.opengroup.osdu.core.common.model.entitlements.Acl;
import org.opengroup.osdu.core.common.model.http.DpsHeaders;
import org.opengroup.osdu.core.common.cache.ICache;
import org.opengroup.osdu.core.common.model.storage.RecordMetadata;
import org.opengroup.osdu.core.common.util.Crc32c;
import org.opengroup.osdu.core.common.model.entitlements.EntitlementsException;
import org.opengroup.osdu.core.common.model.entitlements.Groups;
import org.opengroup.osdu.core.common.model.http.AppException;
import org.opengroup.osdu.core.common.http.HttpResponse;
import org.opengroup.osdu.core.common.entitlements.IEntitlementsFactory;
import org.opengroup.osdu.core.common.entitlements.IEntitlementsService;
import org.opengroup.osdu.core.common.logging.JaxRsDpsLog;
import org.opengroup.osdu.core.common.entitlements.IEntitlementsAndCacheService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
@Service
public class EntitlementsAndCacheServiceImpl implements IEntitlementsAndCacheService {
private static final String ERROR_REASON = "Access denied";
private static final String ERROR_MSG = "The user is not authorized to perform this action";
@Autowired
private IEntitlementsFactory factory;
@Autowired
private ICache<String, Groups> cache;
@Autowired
private JaxRsDpsLog logger;
@Override
public String authorize(DpsHeaders headers, String... roles) {
Groups groups = this.getGroups(headers);
if (groups.any(roles)) {
return groups.getDesId();
} else {
throw new AppException(HttpStatus.SC_UNAUTHORIZED, ERROR_REASON, ERROR_MSG);
}
}
@Override
public boolean isValidAcl(DpsHeaders headers, Set<String> acls) {
Groups groups = this.getGroups(headers);