diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index bf275ed8f16e04f8c0e46301226dfb13915b2e0f..f626195e8c81340194b4458249ac9b3a4b49c40c 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -7,7 +7,7 @@ variables:
AZURE_SERVICE: partition
AZURE_BUILD_SUBDIR: provider/partition-azure
AZURE_TEST_SUBDIR: testing/partition-test-azure
-
+
IBM_BUILD_SUBDIR: provider/partition-ibm
IBM_INT_TEST_SUBDIR: testing/partition-test-ibm
@@ -15,7 +15,7 @@ variables:
OSDU_GCP_SERVICE: partition
OSDU_GCP_VENDOR: gcp
OSDU_GCP_APPLICATION_NAME: os-partition
- OSDU_GCP_ENV_VARS: AUTHORIZE_API=$OSDU_GCP_AUTHORIZE_API,GOOGLE_CLOUD_PROJECT=$OSDU_GCP_PROJECT
+ OSDU_GCP_ENV_VARS: AUTHORIZE_API=$OSDU_GCP_AUTHORIZE_API,GOOGLE_CLOUD_PROJECT=$OSDU_GCP_PROJECT,GOOGLE_AUDIENCES=$GOOGLE_AUDIENCE,PARTITION_ADMIN_ACCOUNT=$OSDU_GCP_SERVICE_ACCOUNT
MAVEN_PROJECTS: "-pl partition-core,provider/partition-gcp"
OSDU_GCP_TEST_SUBDIR: testing/$OSDU_GCP_SERVICE-test-$OSDU_GCP_VENDOR
@@ -32,19 +32,18 @@ include:
- project: "osdu/platform/ci-cd-pipelines"
file: "scanners/fossa-maven.yml"
- - project: 'osdu/platform/ci-cd-pipelines'
- file: 'cloud-providers/aws.yml'
+ - project: "osdu/platform/ci-cd-pipelines"
+ file: "cloud-providers/aws.yml"
- project: "osdu/platform/ci-cd-pipelines"
file: "cloud-providers/azure.yml"
-
+
- project: "osdu/platform/ci-cd-pipelines"
file: "cloud-providers/ibm.yml"
- project: "osdu/platform/ci-cd-pipelines"
- file: 'cloud-providers/osdu-gcp-cloudrun.yml'
+ file: "cloud-providers/osdu-gcp-cloudrun.yml"
osdu-gcp-test:
variables:
CLIENT_TENANT: osdu
-
diff --git a/NOTICE b/NOTICE
index 0edf0a1b07888dace600d10e7a8a8636e8b7f1fc..a5ba405edd0d7d3ac5c09841a9e233c0dec747df 100644
--- a/NOTICE
+++ b/NOTICE
@@ -348,6 +348,7 @@ The following software have components provided under the terms of this license:
- Java Native Access (from https://github.com/java-native-access/jna)
- Java Native Access Platform (from https://github.com/java-native-access/jna)
- Javassist (from http://www.javassist.org/)
+- Javassist (from http://www.javassist.org/)
- Jetty Server (from )
- Jetty Utilities (from )
- Joda-Time (from http://www.joda.org/joda-time/)
@@ -358,6 +359,15 @@ The following software have components provided under the terms of this license:
- KeePassJava2 :: KDB (from https://repo1.maven.org/maven2/org/linguafranca/pwdb/KeePassJava2-kdb)
- KeePassJava2 :: KDBX (from https://repo1.maven.org/maven2/org/linguafranca/pwdb/KeePassJava2-kdbx)
- KeePassJava2 :: Simple (from https://repo1.maven.org/maven2/org/linguafranca/pwdb/KeePassJava2-simple)
+- KeyCloak Authz: Client API (from )
+- Keycloak :: Spring :: Boot :: Default :: Starter (from )
+- Keycloak Adapter Core (from )
+- Keycloak Adapter SPI (from )
+- Keycloak Common (from )
+- Keycloak Core (from )
+- Keycloak Spring Boot 2 Integration (from )
+- Keycloak Spring Boot Adapter Core (from )
+- Keycloak Spring Security Integration (from )
- Logback Contrib :: JSON :: Classic (from )
- Logback Contrib :: JSON :: Core (from )
- Logback Contrib :: Jackson (from )
@@ -561,6 +571,7 @@ The following software have components provided under the terms of this license:
- rest-high-level (from https://github.com/elastic/elasticsearch)
- rxjava (from https://github.com/ReactiveX/RxJava)
- secure-sm (from https://github.com/elastic/elasticsearch)
+- spring-boot-container-bundle (from )
- spring-security-config (from http://spring.io/spring-security)
- spring-security-core (from http://spring.io/spring-security)
- spring-security-oauth2-client (from http://spring.io/spring-security)
@@ -597,6 +608,7 @@ The following software have components provided under the terms of this license:
- GAX (Google Api eXtensions) (from https://github.com/googleapis)
- Hamcrest (from http://hamcrest.org/JavaHamcrest/)
- Hamcrest Core (from http://hamcrest.org/)
+- HdrHistogram (from http://hdrhistogram.github.io/HdrHistogram/)
- Lucene Common Analyzers (from )
- Plexus :: Default Container (from )
- Plexus Common Utilities (from http://plexus.codehaus.org/plexus-utils)
@@ -625,8 +637,10 @@ The following software have components provided under the terms of this license:
- Google Auth Library for Java - OAuth2 HTTP (from )
- Hamcrest (from http://hamcrest.org/JavaHamcrest/)
- Hamcrest Core (from http://hamcrest.org/)
+- HdrHistogram (from http://hdrhistogram.github.io/HdrHistogram/)
- JDOM (from http://www.jdom.org)
- JSch (from http://www.jcraft.com/jsch/)
+- JavaBeans Activation Framework (from )
- JavaBeans Activation Framework API jar (from )
- Lucene Common Analyzers (from )
- Lucene Core (from )
@@ -795,6 +809,7 @@ The following software have components provided under the terms of this license:
- Java Native Access (from https://github.com/java-native-access/jna)
- Java Native Access Platform (from https://github.com/java-native-access/jna)
- Javassist (from http://www.javassist.org/)
+- Javassist (from http://www.javassist.org/)
- Logback Classic Module (from )
- Logback Contrib :: JSON :: Classic (from )
- Logback Contrib :: JSON :: Core (from )
@@ -811,6 +826,7 @@ LGPL-2.1-or-later
========================================================================
The following software have components provided under the terms of this license:
+- Javassist (from http://www.javassist.org/)
- SnakeYAML (from http://www.snakeyaml.org)
========================================================================
@@ -835,6 +851,7 @@ The following software have components provided under the terms of this license:
- Azure Java Client Runtime for AutoRest (from https://github.com/Azure/autorest-clientruntime-for-java)
- Azure Metrics Spring Boot Starter (from https://github.com/Microsoft/azure-spring-boot)
- Azure Spring Boot AutoConfigure (from https://github.com/Microsoft/azure-spring-boot)
+- Bouncy Castle Provider (from http://www.bouncycastle.org/java.html)
- Checker Qual (from https://checkerframework.org)
- Extensions on Apache Proton-J library (from https://github.com/Azure/qpid-proton-j-extensions)
- JOpt Simple (from http://pholser.github.io/jopt-simple)
@@ -886,12 +903,14 @@ The following software have components provided under the terms of this license:
- Cobertura code coverage (from http://cobertura.sourceforge.net)
- Javassist (from http://www.javassist.org/)
+- Javassist (from http://www.javassist.org/)
========================================================================
MPL-2.0
========================================================================
The following software have components provided under the terms of this license:
+- Javassist (from http://www.javassist.org/)
- Javassist (from http://www.javassist.org/)
- OkHttp (from )
@@ -900,6 +919,7 @@ PHP-3.01
========================================================================
The following software have components provided under the terms of this license:
+- JavaBeans Activation Framework (from )
- JavaBeans Activation Framework API jar (from )
- jakarta.xml.bind-api (from )
@@ -952,9 +972,13 @@ The following software have components provided under the terms of this license:
- AWS Java SDK :: SDK Core (from https://aws.amazon.com/sdkforjava)
- AWS SDK for Java - Models (from https://aws.amazon.com/sdkforjava)
- Asynchronous Http Client (from )
+- Bouncy Castle PKIX, CMS, EAC, TSP, PKCS, OCSP, CMP, and CRMF APIs (from http://www.bouncycastle.org/java.html)
+- Bouncy Castle Provider (from http://www.bouncycastle.org/java.html)
- Guava: Google Core Libraries for Java (from https://github.com/google/guava.git)
- HdrHistogram (from http://hdrhistogram.github.io/HdrHistogram/)
+- HdrHistogram (from http://hdrhistogram.github.io/HdrHistogram/)
- Joda-Time (from http://www.joda.org/joda-time/)
+- Keycloak Common (from )
- LatencyUtils (from http://latencyutils.github.io/LatencyUtils/)
- Microsoft Application Insights Java SDK Core (from https://github.com/Microsoft/ApplicationInsights-Java)
- Microsoft Azure SDK for SQL API of Azure Cosmos DB Service (from https://github.com/Azure/azure-sdk-for-java)
@@ -972,10 +996,13 @@ unknown
========================================================================
The following software have components provided under the terms of this license:
+- Bouncy Castle PKIX, CMS, EAC, TSP, PKCS, OCSP, CMP, and CRMF APIs (from http://www.bouncycastle.org/java.html)
+- Bouncy Castle Provider (from http://www.bouncycastle.org/java.html)
- Byte Buddy (without dependencies) (from )
- JUnit (from http://junit.org)
- JUnit (from http://junit.org)
- JUnit Jupiter (Aggregator) (from https://junit.org/junit5/)
+- JavaBeans Activation Framework (from )
- JavaBeans Activation Framework API jar (from )
- JavaMail API (from )
- Servlet Specification 2.5 API (from )
diff --git a/devops/azure/chart/templates/deployment.yaml b/devops/azure/chart/templates/deployment.yaml
index 701ea88731e7b36ae120948630825ea82407e203..eccbf52b861bb32a6ce9aa92829ad1c2a3fe225b 100644
--- a/devops/azure/chart/templates/deployment.yaml
+++ b/devops/azure/chart/templates/deployment.yaml
@@ -63,6 +63,8 @@ spec:
value: "80"
- name: ACCEPT_HTTP # TEMPORARY UNTIL HTTPS
value: "true"
+ - name: partition_spring_logging_level
+ value: INFO
- name: KEYVAULT_URI
valueFrom:
configMapKeyRef:
diff --git a/provider/partition-azure/src/main/resources/application.properties b/provider/partition-azure/src/main/resources/application.properties
index 436ee530ca679fc25d6f68ea9e21e8c04e3a4a9a..decff4b95d46b7418f7a4b4c7a861a945c6a6b94 100644
--- a/provider/partition-azure/src/main/resources/application.properties
+++ b/provider/partition-azure/src/main/resources/application.properties
@@ -1,6 +1,6 @@
LOG_PREFIX=partition
server.servlet.contextPath=/api/partition/v1
-logging.level.org.springframework.web=DEBUG
+logging.level.org.springframework.web=${partition_spring_logging_level:INFO}
JAVA_OPTS=-Dserver.port=80
server.port=8080
springfox.documentation.swagger.v2.path=/api-docs
diff --git a/provider/partition-gcp/README.md b/provider/partition-gcp/README.md
index d4dde2dda176f4e42ecc2aedade901f7cb353f80..a60430b2d842c1d4057cb6b98ce85262d8dd074c 100644
--- a/provider/partition-gcp/README.md
+++ b/provider/partition-gcp/README.md
@@ -21,6 +21,8 @@ In order to run the service locally or remotely, you will need to have the follo
| `SERVER_SERVLET_CONTEXPATH` | `/api/partition/v1` | Servlet context path | no | - |
| `AUTHORIZE_API` | ex `https://entitlements.com/entitlements/v1` | Entitlements API endpoint | no | output of infrastructure deployment |
| `GOOGLE_CLOUD_PROJECT` | ex `osdu-cicd-epam` | Google Cloud Project Id| no | output of infrastructure deployment |
+| `GOOGLE_AUDIENCES` | ex `*****.apps.googleusercontent.com` | Client ID for getting access to cloud resources | yes | https://console.cloud.google.com/apis/credentials |
+| `PARTITION_ADMIN_ACCOUNT` | ex `admin@domen.iam.gserviceaccount.com` | Partition Admin account email | no | - |
| `GOOGLE_APPLICATION_CREDENTIALS` | ex `/path/to/directory/service-key.json` | Service account credentials, you only need this if running locally | yes | https://console.cloud.google.com/iam-admin/serviceaccounts |
### Run Locally
@@ -115,14 +117,9 @@ You will need to have the following environment variables defined.
| `PARTITION_BASE_URL` | ex `http://localhost:8080/` | service base URL | yes | |
| `CLIENT_TENANT` | ex `opendes` | name of the client partition | yes | |
| `MY_TENANT` | ex `opendes` | name of the OSDU partition | yes | |
-| `INTEGRATION_TESTER` | `********` | Service account for API calls. Note: this user must have entitlements configured already. Base64 encoded string | yes | https://console.cloud.google.com/iam-admin/serviceaccounts |
+| `INTEGRATION_TESTER` | `********` | Service account for API calls. Note: this user must be `PARTITION_ADMIN_ACCOUNT` | yes | https://console.cloud.google.com/iam-admin/serviceaccounts |
| `NO_DATA_ACCESS_TESTER` | `********` | Service account base64 encoded string without data access | yes | https://console.cloud.google.com/iam-admin/serviceaccounts |
| `INTEGRATION_TEST_AUDIENCE` | `********` | client application ID | yes | https://console.cloud.google.com/apis/credentials |
-**Entitlements configuration for integration accounts**
-
-| INTEGRATION_TESTER | NO_DATA_ACCESS_TESTER |
-| --- | --- |
-| users<br/>service.entitlements.user<br/>service.partition.admin<br/>data.test1<br/>data.integration.test<br/>users@{tenant1}@{domain}.com | users <br/>service.entitlements.user<br/> |
Execute following command to build code and run all the integration tests:
diff --git a/provider/partition-gcp/src/main/java/org/opengroup/osdu/partition/provider/gcp/config/PropertiesConfiguration.java b/provider/partition-gcp/src/main/java/org/opengroup/osdu/partition/provider/gcp/config/PropertiesConfiguration.java
index 9475913cf2877cae635c911fa3de372df5b90a83..5d236f428953df44ea986cd06f6f36565584b03b 100644
--- a/provider/partition-gcp/src/main/java/org/opengroup/osdu/partition/provider/gcp/config/PropertiesConfiguration.java
+++ b/provider/partition-gcp/src/main/java/org/opengroup/osdu/partition/provider/gcp/config/PropertiesConfiguration.java
@@ -28,9 +28,11 @@ import org.springframework.context.annotation.Configuration;
@Setter
public class PropertiesConfiguration {
- private String authorizeApi;
+ private String googleAudiences;
- private int cacheExpiration;
+ private String partitionAdminAccount;
- private int cacheMaxSize;
+ private int cacheExpiration;
+
+ private int cacheMaxSize;
}
diff --git a/provider/partition-gcp/src/main/java/org/opengroup/osdu/partition/provider/gcp/security/AuthorizationService.java b/provider/partition-gcp/src/main/java/org/opengroup/osdu/partition/provider/gcp/security/AuthorizationService.java
index b19b061ba369931346107deb371d5a6779238748..212720936e824ba023cc101e090978c211afbf78 100644
--- a/provider/partition-gcp/src/main/java/org/opengroup/osdu/partition/provider/gcp/security/AuthorizationService.java
+++ b/provider/partition-gcp/src/main/java/org/opengroup/osdu/partition/provider/gcp/security/AuthorizationService.java
@@ -17,14 +17,19 @@
package org.opengroup.osdu.partition.provider.gcp.security;
+import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
+import com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier;
+import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport;
+import com.google.api.client.json.jackson2.JacksonFactory;
+import java.util.Collections;
import java.util.Objects;
import lombok.RequiredArgsConstructor;
import lombok.extern.slf4j.Slf4j;
-import org.opengroup.osdu.core.common.model.entitlements.AuthorizationResponse;
+import org.apache.commons.lang3.StringUtils;
import org.opengroup.osdu.core.common.model.http.AppException;
import org.opengroup.osdu.core.common.model.http.DpsHeaders;
+import org.opengroup.osdu.partition.provider.gcp.config.PropertiesConfiguration;
import org.opengroup.osdu.partition.provider.interfaces.IAuthorizationService;
-import org.springframework.http.HttpStatus;
import org.springframework.stereotype.Component;
import org.springframework.web.context.annotation.RequestScope;
@@ -34,23 +39,47 @@ import org.springframework.web.context.annotation.RequestScope;
@RequiredArgsConstructor
public class AuthorizationService implements IAuthorizationService {
- private static final String PARTITION_ADMIN_ROLE = "service.partition.admin";
+ private final PropertiesConfiguration configuration;
- private final DpsHeaders headers;
+ private final DpsHeaders headers;
- private final org.opengroup.osdu.core.common.provider.interfaces.IAuthorizationService authorizationServiceImpl;
+ @Override
+ public boolean isDomainAdminServiceAccount() {
+ if (Objects.isNull(headers.getAuthorization()) || headers.getAuthorization().isEmpty()) {
+ throw AppException.createUnauthorized("No JWT token. Access is Forbidden");
+ }
+ try {
+ GoogleIdTokenVerifier verifier =
+ new GoogleIdTokenVerifier.Builder(
+ GoogleNetHttpTransport.newTrustedTransport(),
+ JacksonFactory.getDefaultInstance())
+ .setAudience(Collections.singleton(configuration.getGoogleAudiences()))
+ .build();
- @Override
- public boolean isDomainAdminServiceAccount() {
- try {
- AuthorizationResponse authorizationResponse = authorizationServiceImpl
- .authorizeAny(headers, PARTITION_ADMIN_ROLE);
- } catch (AppException e) {
- throw e;
- } catch (Exception e) {
- throw new AppException(HttpStatus.INTERNAL_SERVER_ERROR.value(), "Authentication Failure",
- e.getMessage(), e);
+ String authorization = headers.getAuthorization().replace("Bearer ", "");
+ GoogleIdToken googleIdToken = verifier.verify(authorization);
+ if (Objects.isNull(googleIdToken)) {
+ log.warn("Not valid token provided");
+ throw AppException.createUnauthorized("Unauthorized. The JWT token could not be validated");
+ }
+ String email = googleIdToken.getPayload().getEmail();
+ String partitionAdminAccount = configuration.getPartitionAdminAccount();
+ if (Objects.nonNull(partitionAdminAccount) && !partitionAdminAccount.isEmpty()) {
+ if (email.equals(partitionAdminAccount)) {
+ return true;
+ } else {
+ throw AppException.createUnauthorized("Unauthorized. The user is not Service Principal");
+ }
+ } else {
+ if (StringUtils.endsWithIgnoreCase(email, "gserviceaccount.com")) {
+ return true;
+ } else {
+ throw AppException.createUnauthorized("Unauthorized. The user is not Service Principal");
+ }
+ }
+ } catch (Exception e) {
+ log.warn("Not valid or expired token provided");
+ throw AppException.createUnauthorized("Unauthorized. The JWT token could not be validated");
+ }
}
- return true;
- }
}
diff --git a/provider/partition-gcp/src/main/java/org/opengroup/osdu/partition/provider/gcp/security/EntitlementsClientFactory.java b/provider/partition-gcp/src/main/java/org/opengroup/osdu/partition/provider/gcp/security/EntitlementsClientFactory.java
deleted file mode 100644
index ce48a3673c0f8fa7407286529296458f1754a6b4..0000000000000000000000000000000000000000
--- a/provider/partition-gcp/src/main/java/org/opengroup/osdu/partition/provider/gcp/security/EntitlementsClientFactory.java
+++ /dev/null
@@ -1,55 +0,0 @@
-/*
- Copyright 2002-2021 Google LLC
- Copyright 2002-2021 EPAM Systems, Inc
-
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
- */
-
-package org.opengroup.osdu.partition.provider.gcp.security;
-
-import lombok.RequiredArgsConstructor;
-
-import javax.inject.Inject;
-
-import org.opengroup.osdu.core.common.entitlements.EntitlementsAPIConfig;
-import org.opengroup.osdu.core.common.entitlements.EntitlementsFactory;
-import org.opengroup.osdu.core.common.entitlements.IEntitlementsFactory;
-import org.opengroup.osdu.core.common.http.json.HttpResponseBodyMapper;
-import org.opengroup.osdu.partition.provider.gcp.config.PropertiesConfiguration;
-import org.springframework.beans.factory.config.AbstractFactoryBean;
-import org.springframework.stereotype.Component;
-
-@Component
-@RequiredArgsConstructor
-public class EntitlementsClientFactory extends AbstractFactoryBean<IEntitlementsFactory> {
-
- private final PropertiesConfiguration properties;
-
- @Inject
- private HttpResponseBodyMapper httpResponseBodyMapper;
-
- @Override
- protected IEntitlementsFactory createInstance() throws Exception {
-
- return new EntitlementsFactory(EntitlementsAPIConfig
- .builder()
- .rootUrl(properties.getAuthorizeApi())
- .build(),
- httpResponseBodyMapper);
- }
-
- @Override
- public Class<?> getObjectType() {
- return IEntitlementsFactory.class;
- }
-}
diff --git a/provider/partition-gcp/src/main/resources/application.properties b/provider/partition-gcp/src/main/resources/application.properties
index 3f9c4e0ded14515f36e82c034a1fb3de189d4ba6..3bb3b7343933e9414aee898abbd4834773f5308a 100644
--- a/provider/partition-gcp/src/main/resources/application.properties
+++ b/provider/partition-gcp/src/main/resources/application.properties
@@ -17,6 +17,8 @@ kms-key=searchService
KEY_RING=${key-ring}
KMS_KEY=${kms-key}
GOOGLE_CLOUD_PROJECT=${google-cloud-project}
+google-audiences=123.apps.googleusercontent.com
+partition-admin-account=admin@domen.iam.gserviceaccount.com
#logging configuration
logging.level.org.springframework.web=${LOG_LEVEL:DEBUG}
diff --git a/provider/partition-ibm/pom.xml b/provider/partition-ibm/pom.xml
index 65062fccde44225a67ac0f4c435771f59ed782b3..9afd713261403bd81e76dac16b9079688cb5533e 100644
--- a/provider/partition-ibm/pom.xml
+++ b/provider/partition-ibm/pom.xml
@@ -20,20 +20,15 @@
<packaging>jar</packaging>
<properties>
- <aws.version>1.11.637</aws.version>
+ <version.keycloak>9.0.2</version.keycloak>
</properties>
<dependencies>
<!-- Internal packages -->
- <dependency>
- <groupId>org.opengroup.osdu</groupId>
- <artifactId>os-core-common</artifactId>
- <version>0.3.28</version>
- </dependency>
<dependency>
<groupId>org.opengroup.osdu</groupId>
<artifactId>os-core-lib-ibm</artifactId>
- <version>0.7.0</version>
+ <version>0.8.2</version>
</dependency>
<dependency>
<groupId>org.opengroup.osdu</groupId>
@@ -43,10 +38,10 @@
<!-- Third party Apache 2.0 license packages -->
- <dependency>
+ <!-- <dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
- </dependency>
+ </dependency> -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-actuator</artifactId>
@@ -119,6 +114,31 @@
<artifactId>spring-security-test</artifactId>
<scope>test</scope>
</dependency>
+
+
+ <!-- Keycloak -->
+ <dependency>
+ <groupId>org.keycloak</groupId>
+ <artifactId>keycloak-spring-boot-starter</artifactId>
+ <version>${version.keycloak}</version>
+ </dependency>
+ <!-- <dependency>
+ <groupId>org.keycloak</groupId>
+ <artifactId>keycloak-spring-boot-starter-security</artifactId>
+ <version>${version.keycloak}</version>
+ </dependency> -->
+ <!-- <dependency>
+ <groupId>org.keycloak</groupId>
+ <artifactId>keycloak-authz-client</artifactId>
+ <version>${version.keycloak}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.keycloak</groupId>
+ <artifactId>keycloak-admin-client</artifactId>
+ <version>${version.keycloak}</version>
+ </dependency> -->
+
+
</dependencies>
<build>
diff --git a/provider/partition-ibm/src/main/java/org/opengroup/osdu/partition/provider/ibm/security/AuthorizationService.java b/provider/partition-ibm/src/main/java/org/opengroup/osdu/partition/provider/ibm/security/AuthorizationService.java
index ce059f118aa3eb1cf0e46e9b9ea13c130611e904..7b5129829f5b99709541180bcb129d23e5e2136b 100644
--- a/provider/partition-ibm/src/main/java/org/opengroup/osdu/partition/provider/ibm/security/AuthorizationService.java
+++ b/provider/partition-ibm/src/main/java/org/opengroup/osdu/partition/provider/ibm/security/AuthorizationService.java
@@ -3,47 +3,52 @@
package org.opengroup.osdu.partition.provider.ibm.security;
-import org.opengroup.osdu.core.common.entitlements.IEntitlementsAndCacheService;
+import org.keycloak.KeycloakPrincipal;
+import org.keycloak.KeycloakSecurityContext;
import org.opengroup.osdu.core.common.model.http.AppException;
-import org.opengroup.osdu.core.common.model.http.DpsHeaders;
import org.opengroup.osdu.partition.provider.interfaces.IAuthorizationService;
-import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
import org.springframework.http.HttpStatus;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Component;
import org.springframework.web.context.annotation.RequestScope;
+import lombok.extern.slf4j.Slf4j;
+
@Component
@RequestScope
+@Slf4j
public class AuthorizationService implements IAuthorizationService {
- public static final String PARTITION_ADMIN_ROLE = "service.partition.admin";
-
- @Autowired
- private IEntitlementsAndCacheService entitlementsAndCacheService;
-
- @Autowired
- private DpsHeaders headers;
-
- @Override
- public boolean isDomainAdminServiceAccount() {
- try {
- return hasRole(PARTITION_ADMIN_ROLE);
- }
- catch (AppException e) {
- throw e;
- }
- catch (Exception e) {
- throw new AppException(HttpStatus.INTERNAL_SERVER_ERROR.value(), "Authentication Failure", e.getMessage(), e);
- }
-
- }
-
- private boolean hasRole(String requiredRole) {
- //headers.put(DpsHeaders.DATA_PARTITION_ID, PARTITION_NAME);
- String user = entitlementsAndCacheService.authorize(headers, requiredRole);
- headers.put(DpsHeaders.USER_EMAIL, user);
- return true;
- }
+ @Value("${service.partition.admin.user}")
+ String partitionAdminUser;
+
+
+ @Override
+ public boolean isDomainAdminServiceAccount() {
+ try {
+ final Authentication auth = SecurityContextHolder.getContext().getAuthentication();
+ @SuppressWarnings("unchecked")
+ KeycloakPrincipal<KeycloakSecurityContext> principal = (KeycloakPrincipal<KeycloakSecurityContext>) auth.getPrincipal();
+ String upn = principal.getName();
+ log.info("email : "+upn);
+ if(upn.equals(partitionAdminUser)) {
+ return true;
+ }
+ else {
+ throw AppException.createUnauthorized("Unauthorized. The user is not Service Principal");
+ }
+
+ }
+ catch (AppException e) {
+ throw e;
+ }
+ catch (Exception e) {
+ throw new AppException(HttpStatus.INTERNAL_SERVER_ERROR.value(), "Authentication Failure", e.getMessage(), e);
+ }
+
+ }
}
diff --git a/provider/partition-ibm/src/main/java/org/opengroup/osdu/partition/provider/ibm/security/EntitlementsAndCacheServiceImpl.java b/provider/partition-ibm/src/main/java/org/opengroup/osdu/partition/provider/ibm/security/EntitlementsAndCacheServiceImpl.java
deleted file mode 100644
index 1e341267f21910c8d86794c7e71c72cedefa1cc9..0000000000000000000000000000000000000000
--- a/provider/partition-ibm/src/main/java/org/opengroup/osdu/partition/provider/ibm/security/EntitlementsAndCacheServiceImpl.java
+++ /dev/null
@@ -1,153 +0,0 @@
-/* Licensed Materials - Property of IBM */
-/* (c) Copyright IBM Corp. 2020. All Rights Reserved.*/
-
-package org.opengroup.osdu.partition.provider.ibm.security;
-
-import org.apache.http.HttpStatus;
-import org.opengroup.osdu.core.common.model.entitlements.Acl;
-import org.opengroup.osdu.core.common.model.http.DpsHeaders;
-import org.opengroup.osdu.core.common.cache.ICache;
-import org.opengroup.osdu.core.common.model.storage.RecordMetadata;
-import org.opengroup.osdu.core.common.util.Crc32c;
-import org.opengroup.osdu.core.common.model.entitlements.EntitlementsException;
-import org.opengroup.osdu.core.common.model.entitlements.Groups;
-import org.opengroup.osdu.core.common.model.http.AppException;
-import org.opengroup.osdu.core.common.http.HttpResponse;
-import org.opengroup.osdu.core.common.entitlements.IEntitlementsFactory;
-import org.opengroup.osdu.core.common.entitlements.IEntitlementsService;
-import org.opengroup.osdu.core.common.logging.JaxRsDpsLog;
-import org.opengroup.osdu.core.common.entitlements.IEntitlementsAndCacheService;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.stereotype.Service;
-
-import java.util.ArrayList;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Set;
-
-@Service
-public class EntitlementsAndCacheServiceImpl implements IEntitlementsAndCacheService {
-
- private static final String ERROR_REASON = "Access denied";
- private static final String ERROR_MSG = "The user is not authorized to perform this action";
-
- @Autowired
- private IEntitlementsFactory factory;
-
- @Autowired
- private ICache<String, Groups> cache;
-
- @Autowired
- private JaxRsDpsLog logger;
-
- @Override
- public String authorize(DpsHeaders headers, String... roles) {
- Groups groups = this.getGroups(headers);
- if (groups.any(roles)) {
- return groups.getDesId();
- } else {
- throw new AppException(HttpStatus.SC_UNAUTHORIZED, ERROR_REASON, ERROR_MSG);
- }
- }
-
- @Override
- public boolean isValidAcl(DpsHeaders headers, Set<String> acls) {
- Groups groups = this.getGroups(headers);
- if (groups.getGroups() == null || groups.getGroups().isEmpty()) {
- this.logger.error("Error on getting groups for user: " + headers.getUserEmail());
- throw new AppException(HttpStatus.SC_INTERNAL_SERVER_ERROR, "Unknown error",
- "Unknown error happened when validating ACL");
- }
- String email = groups.getGroups().get(0).getEmail();
- if (!email.matches("^[a-zA-Z0-9_+&*-]+(?:\\.[a-zA-Z0-9_+&*-]+)*@(?:[a-zA-Z0-9-]+\\.)+[a-zA-Z]{2,7}$")) {
- this.logger.error("Email address is invalid for this group: " + groups.getGroups().get(0));
- throw new AppException(HttpStatus.SC_INTERNAL_SERVER_ERROR, "Unknown error",
- "Unknown error happened when validating ACL");
- }
- String domain = email.split("@")[1];
- for (String acl : acls) {
- if (!acl.split("@")[1].equalsIgnoreCase(domain)) {
- return false;
- }
- }
- return true;
- }
-
- @Override
- public boolean hasOwnerAccess(DpsHeaders headers, String[] ownerList) {
- Groups groups = this.getGroups(headers);
- Set<String> aclList = new HashSet<>();
-
- for (String owner : ownerList) {
- aclList.add(owner.split("@")[0]);
- }
-
- String[] acls = new String[aclList.size()];
- return groups.any(aclList.toArray(acls));
- }
-
- @Override
- public List<RecordMetadata> hasValidAccess(List<RecordMetadata> recordsMetadata, DpsHeaders headers) {
- Groups groups = this.getGroups(headers);
- List<RecordMetadata> result = new ArrayList<>();
-
- for (RecordMetadata recordMetadata : recordsMetadata) {
- Acl storageAcl = recordMetadata.getAcl();
- if (hasAccess(storageAcl, groups)) {
- result.add(recordMetadata);
- } else {
- this.logger.warning("Post ACL check fails: " + recordMetadata.getId());
- }
- }
-
- return result;
- }
-
- private boolean hasAccess(Acl storageAcl, Groups groups) {
- String[] viewers = storageAcl.getViewers();
- String[] owners = storageAcl.getOwners();
- Set<String> aclList = new HashSet<>();
-
- for (String viewer : viewers) {
- aclList.add(viewer.split("@")[0]);
- }
- for (String owner : owners) {
- aclList.add(owner.split("@")[0]);
- }
-
- String[] acls = new String[aclList.size()];
- if (groups.any(aclList.toArray(acls))) {
- return true;
- } else {
- return false;
- }
- }
-
- protected Groups getGroups(DpsHeaders headers) {
- String cacheKey = this.getGroupCacheKey(headers);
- Groups groups = this.cache.get(cacheKey);
-
- if (groups == null) {
- IEntitlementsService service = this.factory.create(headers);
- try {
- groups = service.getGroups();
- this.cache.put(cacheKey, groups);
- this.logger.info("Entitlements cache miss");
-
- } catch (EntitlementsException e) {
- e.printStackTrace();
- HttpResponse response = e.getHttpResponse();
- this.logger.error(String.format("Error requesting entitlements service %s", response));
- throw new AppException(e.getHttpResponse().getResponseCode(), ERROR_REASON, ERROR_MSG, e);
- }
- }
-
- return groups;
- }
-
- protected static String getGroupCacheKey(DpsHeaders headers) {
- String key = String.format("entitlement-groups:%s:%s", headers.getPartitionIdWithFallbackToAccountId(),
- headers.getAuthorization());
- return Crc32c.hashToBase64EncodedString(key);
- }
-}
diff --git a/provider/partition-ibm/src/main/java/org/opengroup/osdu/partition/provider/ibm/security/EntitlementsClientFactory.java b/provider/partition-ibm/src/main/java/org/opengroup/osdu/partition/provider/ibm/security/EntitlementsClientFactory.java
deleted file mode 100644
index 193e63876b27038a3bb468ddf701135aef54cc46..0000000000000000000000000000000000000000
--- a/provider/partition-ibm/src/main/java/org/opengroup/osdu/partition/provider/ibm/security/EntitlementsClientFactory.java
+++ /dev/null
@@ -1,43 +0,0 @@
-/* Licensed Materials - Property of IBM */
-/* (c) Copyright IBM Corp. 2020. All Rights Reserved.*/
-
-package org.opengroup.osdu.partition.provider.ibm.security;
-
-import javax.inject.Inject;
-
-import org.opengroup.osdu.core.common.entitlements.EntitlementsAPIConfig;
-import org.opengroup.osdu.core.common.entitlements.EntitlementsFactory;
-import org.opengroup.osdu.core.common.entitlements.IEntitlementsFactory;
-import org.opengroup.osdu.core.common.http.json.HttpResponseBodyMapper;
-import org.springframework.beans.factory.annotation.Value;
-import org.springframework.beans.factory.config.AbstractFactoryBean;
-import org.springframework.stereotype.Component;
-
-@Component
-public class EntitlementsClientFactory extends AbstractFactoryBean<IEntitlementsFactory> {
-
- @Value("${AUTHORIZE_API}")
- private String AUTHORIZE_API;
-
- @Value("${AUTHORIZE_API_KEY:}")
- private String AUTHORIZE_API_KEY;
-
- @Inject
- private HttpResponseBodyMapper httpResponseBodyMapper;
-
- @Override
- protected IEntitlementsFactory createInstance() throws Exception {
-
- return new EntitlementsFactory(EntitlementsAPIConfig
- .builder()
- .rootUrl(AUTHORIZE_API)
- .apiKey(AUTHORIZE_API_KEY)
- .build(),
- httpResponseBodyMapper);
- }
-
- @Override
- public Class<?> getObjectType() {
- return IEntitlementsFactory.class;
- }
-}
\ No newline at end of file
diff --git a/provider/partition-ibm/src/main/java/org/opengroup/osdu/partition/provider/ibm/security/KeycloakSecurityConfig.java b/provider/partition-ibm/src/main/java/org/opengroup/osdu/partition/provider/ibm/security/KeycloakSecurityConfig.java
new file mode 100644
index 0000000000000000000000000000000000000000..3ba9984383b10f10b95914213f4ada91794108dc
--- /dev/null
+++ b/provider/partition-ibm/src/main/java/org/opengroup/osdu/partition/provider/ibm/security/KeycloakSecurityConfig.java
@@ -0,0 +1,56 @@
+/* Licensed Materials - Property of IBM */
+/* (c) Copyright IBM Corp. 2020. All Rights Reserved.*/
+
+package org.opengroup.osdu.partition.provider.ibm.security;
+
+import org.keycloak.adapters.KeycloakConfigResolver;
+import org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver;
+import org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider;
+import org.keycloak.adapters.springsecurity.config.KeycloakWebSecurityConfigurerAdapter;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.core.authority.mapping.SimpleAuthorityMapper;
+import org.springframework.security.core.session.SessionRegistryImpl;
+import org.springframework.security.web.authentication.session.NullAuthenticatedSessionStrategy;
+import org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy;
+import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
+
+@Configuration
+@EnableWebSecurity
+@EnableGlobalMethodSecurity(prePostEnabled = true, jsr250Enabled = true)
+public class KeycloakSecurityConfig extends KeycloakWebSecurityConfigurerAdapter {
+
+ @Override
+ protected void configure(HttpSecurity http) throws Exception {
+ super.configure(http);
+ http.authorizeRequests()
+ .anyRequest().authenticated().and().oauth2ResourceServer().jwt();
+ /* .anyRequest()
+ .permitAll();*/
+ http.csrf().disable();
+ http.headers().frameOptions().disable();
+ }
+
+ @Autowired
+ public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
+ KeycloakAuthenticationProvider keycloakAuthenticationProvider = keycloakAuthenticationProvider();
+ keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(new SimpleAuthorityMapper());
+ auth.authenticationProvider(keycloakAuthenticationProvider);
+ }
+
+ @Bean
+ @Override
+ protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
+ return new NullAuthenticatedSessionStrategy();
+ }
+
+ @Bean
+ public KeycloakConfigResolver KeycloakConfigResolver() {
+ return new KeycloakSpringBootConfigResolver();
+ }
+}
\ No newline at end of file
diff --git a/provider/partition-ibm/src/main/java/org/opengroup/osdu/partition/provider/ibm/security/SecurityConfigIBM.java b/provider/partition-ibm/src/main/java/org/opengroup/osdu/partition/provider/ibm/security/SecurityConfigIBM.java
deleted file mode 100644
index 8da96136277545f93e232d755c422b87249a4ad8..0000000000000000000000000000000000000000
--- a/provider/partition-ibm/src/main/java/org/opengroup/osdu/partition/provider/ibm/security/SecurityConfigIBM.java
+++ /dev/null
@@ -1,26 +0,0 @@
-/* Licensed Materials - Property of IBM */
-/* (c) Copyright IBM Corp. 2020. All Rights Reserved.*/
-
-package org.opengroup.osdu.partition.provider.ibm.security;
-
-import org.springframework.context.annotation.Configuration;
-import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
-import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
-
-@EnableWebSecurity
-@Configuration
-@EnableGlobalMethodSecurity(prePostEnabled = true)
-public class SecurityConfigIBM extends WebSecurityConfigurerAdapter {
- @Override
- protected void configure(HttpSecurity http) throws Exception {
- http.csrf().disable().authorizeRequests()
- .antMatchers("_ah/liveness_check",
- "/_ah/readiness_check",
- "/swagger-resources/**",
- "/configuration/security",
- "/webjars/**")
- .permitAll().anyRequest().authenticated().and().oauth2ResourceServer().jwt();
- }
-}
\ No newline at end of file
diff --git a/provider/partition-ibm/src/main/resources/application.properties b/provider/partition-ibm/src/main/resources/application.properties
index 82948a6526214f97e364a15ec10de00049d51ff2..59435cdad0effbce72555aa61219cea468c88adf 100644
--- a/provider/partition-ibm/src/main/resources/application.properties
+++ b/provider/partition-ibm/src/main/resources/application.properties
@@ -26,3 +26,33 @@ ibm.db.password=TODO
spring.security.oauth2.resourceserver.jwt.jwk-set-uri=TODO
+
+##Keycloak for partition service
+keycloak.realm=TODO
+keycloak.auth-server-url=TODO
+keycloak.resource=TODO
+keycloak.credentials.secret=TODO
+keycloak.ssl-required=TODO
+keycloak.bearer-only=true
+keycloak.use-resource-role-mappings=false
+partition.role=partition-admin-role
+#added above property as '[]' are not allowed in openshift env variables
+keycloak.securityConstraints[0].authRoles[0]=${partition.role}
+#keycloak.securityConstraints[0].securityCollections[0].name=protected
+#api pattern for role validation
+partition.api.pattern=/*
+keycloak.securityConstraints[0].securityCollections[0].patterns[0]=${partition.api.pattern}
+keycloak.principal-attribute=email
+##SA check
+service.partition.admin.user=partition-service-admin@in.ibm.com
+#SERVICE_DOMAIN_NAME=ibm.com
+
+#No-use-but mandatory properties for os-core-lib-ibm 9.0.
+#Token generation for partition service call
+partition.keycloak.user=TODO
+partition.keycloak.password=TODO
+partition.keycloak.url=TODO
+partition.keycloak.realm=TODO
+partition.keycloak.client_id=TODO
+partition.keycloak.client_secert=TODO
+
diff --git a/testing/README.md b/testing/README.md
index 6442bf70ad861374443a8fc21b70f953ac6f3471..2905dfd1b5463bf70fa2d6d663da3ab59fc037d4 100644
--- a/testing/README.md
+++ b/testing/README.md
@@ -1,25 +1,10 @@
-Copyright 2017-2020, Schlumberger
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-
# Partition service integration tests
-Partition integration tests are refactored so that the business logic for integration tests resides in the `partition-test-core` module and provider specific logic and execution steps reside in provider module (e.g. `partition-test-azure`). To run the integration tests, the core module is built first and then the provider module is executed. Please read further to know more details.
+Partition integration tests are refactored so that the business logic for integration tests resides in the `partition-test-core` module and provider specific logic and execution steps reside in provider module. To run the integration tests, the core module is built first and then the provider module is executed. Please read further to know more details.
### Dependencies needed to run the integration tests
* JDK8
* Maven
-* Azure Devops access to slb-des-ext-collaboration organization. You need to generate a PAT that can access dependencies held in the Azure artifacts
* Values for the following environment variables in Config.java (in `partition-test-core` module)
```
@@ -27,9 +12,7 @@ Partition integration tests are refactored so that the business logic for integr
PARTITION_BASE_URL (service base URL, required only if running integration tests against a cloud endpoint)
CLIENT_TENANT (name of the client partition, required only if running integration tests against a cloud endpoint) (e.g. 'common')
MY_TENANT(name of the OSDU partition, required only if running integration tests against a cloud endpoint) (e.g. 'opendes')
+
```
Above variables should be configured in the release pipeline to run integration tests. You should also replace them with proper values if you wish to run tests locally.
-### Commands to run tests
-* Integration tests are refactored into two pieces: Core and Provider. Core contains business logic for tests and is a dependency for executing the tests from provider module. To build the core module, simply navigate to `partition-test-core` directory and run `mvn clean install`. This will build the core module
-* Next, to execute the integration tests, navigate to the provider module and execute `mvn test`
diff --git a/testing/partition-test-ibm/src/test/java/org/opengroup/osdu/partition/api/TestCreatePartition.java b/testing/partition-test-ibm/src/test/java/org/opengroup/osdu/partition/api/TestCreatePartition.java
index b21b39328cf43289208458d2126a119d709b36d2..2f4789ae1e05648cdd510f6b5adf57e0fdf62b0c 100644
--- a/testing/partition-test-ibm/src/test/java/org/opengroup/osdu/partition/api/TestCreatePartition.java
+++ b/testing/partition-test-ibm/src/test/java/org/opengroup/osdu/partition/api/TestCreatePartition.java
@@ -3,11 +3,15 @@
package org.opengroup.osdu.partition.api;
+import static org.junit.Assert.assertEquals;
+
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
import org.opengroup.osdu.partition.util.IBMTestUtils;
+import com.sun.jersey.api.client.ClientResponse;
+
public class TestCreatePartition extends CreatePartitionTest {
@Before
@@ -22,4 +26,22 @@ public class TestCreatePartition extends CreatePartitionTest {
this.testUtils = null;
}
+ @Test
+ @Override
+ public void should_return401_when_noAccessToken() throws Exception {
+ // Springboot Keycloak gives 403 when token does not have required roles
+ ClientResponse response = descriptor.runOnCustomerTenant(getId(), testUtils.getNoAccessToken());
+ assertEquals(error(response.getEntity(String.class)), 403, response.getStatus());
+ }
+
+ @Test
+ @Override
+ public void should_return401_when_accessingWithCredentialsWithoutPermission() throws Exception {
+ // Partition-ibm service does not required partition id
+ // Here, no access token used hence checking with 403 response code in assertion statement
+ ClientResponse response = descriptor.run(getId(), testUtils.getNoAccessToken());
+ assertEquals(403, response.getStatus());
+ }
+
+
}
diff --git a/testing/partition-test-ibm/src/test/java/org/opengroup/osdu/partition/api/TestDeletePartition.java b/testing/partition-test-ibm/src/test/java/org/opengroup/osdu/partition/api/TestDeletePartition.java
index 9c2d7cc0da04ba0d4165b88fa8ea5f358d1a315f..49101f0d3f512be5d095b9f1377a44e843643b74 100644
--- a/testing/partition-test-ibm/src/test/java/org/opengroup/osdu/partition/api/TestDeletePartition.java
+++ b/testing/partition-test-ibm/src/test/java/org/opengroup/osdu/partition/api/TestDeletePartition.java
@@ -3,11 +3,15 @@
package org.opengroup.osdu.partition.api;
+import static org.junit.Assert.assertEquals;
+
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
import org.opengroup.osdu.partition.util.IBMTestUtils;
+import com.sun.jersey.api.client.ClientResponse;
+
public class TestDeletePartition extends DeletePartitionTest {
@Before
@@ -22,4 +26,20 @@ public class TestDeletePartition extends DeletePartitionTest {
this.testUtils = null;
}
+ @Test
+ @Override
+ public void should_return401_when_noAccessToken() throws Exception {
+ // Springboot Keycloak gives 403 when token does not have required roles
+ ClientResponse response = descriptor.runOnCustomerTenant(getId(), testUtils.getNoAccessToken());
+ assertEquals(error(response.getEntity(String.class)), 403, response.getStatus());
+ }
+
+ @Test
+ @Override
+ public void should_return401_when_accessingWithCredentialsWithoutPermission() throws Exception {
+ // Partition-ibm service does not required partition id
+ // Here, no access token used hence checking with 403 response code in assertion statement
+ ClientResponse response = descriptor.run(getId(), testUtils.getNoAccessToken());
+ assertEquals(403, response.getStatus());
+ }
}
diff --git a/testing/partition-test-ibm/src/test/java/org/opengroup/osdu/partition/api/TestGetPartitionById.java b/testing/partition-test-ibm/src/test/java/org/opengroup/osdu/partition/api/TestGetPartitionById.java
index 0c5589183c737841a8713765527cee1ea0d155be..fb77068ad6b986d5044c054ede5330545ca3f0d4 100644
--- a/testing/partition-test-ibm/src/test/java/org/opengroup/osdu/partition/api/TestGetPartitionById.java
+++ b/testing/partition-test-ibm/src/test/java/org/opengroup/osdu/partition/api/TestGetPartitionById.java
@@ -3,11 +3,15 @@
package org.opengroup.osdu.partition.api;
+import static org.junit.Assert.assertEquals;
+
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
import org.opengroup.osdu.partition.util.IBMTestUtils;
+import com.sun.jersey.api.client.ClientResponse;
+
public class TestGetPartitionById extends GetPartitionByIdApitTest {
@Before
@@ -21,5 +25,20 @@ public class TestGetPartitionById extends GetPartitionByIdApitTest {
public void tearDown() {
this.testUtils = null;
}
+ @Test
+ @Override
+ public void should_return401_when_noAccessToken() throws Exception {
+ // Springboot Keycloak gives 403 when token does not have required roles
+ ClientResponse response = descriptor.runOnCustomerTenant(getId(), testUtils.getNoAccessToken());
+ assertEquals(error(response.getEntity(String.class)), 403, response.getStatus());
+ }
+ @Test
+ @Override
+ public void should_return401_when_accessingWithCredentialsWithoutPermission() throws Exception {
+ // Partition-ibm service does not required partition id
+ // Here, no access token used hence checking with 403 response code in assertion statement
+ ClientResponse response = descriptor.run(getId(), testUtils.getNoAccessToken());
+ assertEquals(403, response.getStatus());
+ }
}
diff --git a/testing/partition-test-ibm/src/test/java/org/opengroup/osdu/partition/api/TestListPartitions.java b/testing/partition-test-ibm/src/test/java/org/opengroup/osdu/partition/api/TestListPartitions.java
index 6a1e5e66a5226d0eb4360078ef7b56528ce4281f..c9993b15a9af28db9fc9e8e0c05cf1a7ea7137b1 100644
--- a/testing/partition-test-ibm/src/test/java/org/opengroup/osdu/partition/api/TestListPartitions.java
+++ b/testing/partition-test-ibm/src/test/java/org/opengroup/osdu/partition/api/TestListPartitions.java
@@ -3,11 +3,15 @@
package org.opengroup.osdu.partition.api;
+import static org.junit.Assert.assertEquals;
+
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
import org.opengroup.osdu.partition.util.IBMTestUtils;
+import com.sun.jersey.api.client.ClientResponse;
+
public class TestListPartitions extends ListPartitionsApitTest {
@Before
@@ -21,5 +25,20 @@ public class TestListPartitions extends ListPartitionsApitTest {
public void tearDown() {
this.testUtils = null;
}
+ @Test
+ @Override
+ public void should_return401_when_noAccessToken() throws Exception {
+ // Springboot Keycloak gives 403 when token does not have required roles
+ ClientResponse response = descriptor.runOnCustomerTenant(getId(), testUtils.getNoAccessToken());
+ assertEquals(error(response.getEntity(String.class)), 403, response.getStatus());
+ }
+ @Test
+ @Override
+ public void should_return401_when_accessingWithCredentialsWithoutPermission() throws Exception {
+ // Partition-ibm service does not required partition id
+ // Here, no access token used hence checking with 403 response code in assertion statement
+ ClientResponse response = descriptor.run(getId(), testUtils.getNoAccessToken());
+ assertEquals(403, response.getStatus());
+ }
}
diff --git a/testing/partition-test-ibm/src/test/java/org/opengroup/osdu/partition/api/TestUpdatePartition.java b/testing/partition-test-ibm/src/test/java/org/opengroup/osdu/partition/api/TestUpdatePartition.java
index 564659dc2bd3d662bac5182a358a1442d21f8ff1..666865625ac28505b2e156b31691c87492ab6368 100644
--- a/testing/partition-test-ibm/src/test/java/org/opengroup/osdu/partition/api/TestUpdatePartition.java
+++ b/testing/partition-test-ibm/src/test/java/org/opengroup/osdu/partition/api/TestUpdatePartition.java
@@ -3,11 +3,15 @@
package org.opengroup.osdu.partition.api;
+import static org.junit.Assert.assertEquals;
+
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
import org.opengroup.osdu.partition.util.IBMTestUtils;
+import com.sun.jersey.api.client.ClientResponse;
+
public class TestUpdatePartition extends UpdatePartitionTest {
@Before
@@ -21,5 +25,20 @@ public class TestUpdatePartition extends UpdatePartitionTest {
public void tearDown() {
this.testUtils = null;
}
+ @Test
+ @Override
+ public void should_return401_when_noAccessToken() throws Exception {
+ // Springboot Keycloak gives 403 when token does not have required roles
+ ClientResponse response = descriptor.runOnCustomerTenant(getId(), testUtils.getNoAccessToken());
+ assertEquals(error(response.getEntity(String.class)), 403, response.getStatus());
+ }
+ @Test
+ @Override
+ public void should_return401_when_accessingWithCredentialsWithoutPermission() throws Exception {
+ // Partition-ibm service does not required partition id
+ // Here, no access token used hence checking with 403 response code in assertion statement
+ ClientResponse response = descriptor.run(getId(), testUtils.getNoAccessToken());
+ assertEquals(403, response.getStatus());
+ }
}