diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 5aef90abb037a2aa201e57b7c0a2f03ac7e0d3f3..ab4b577029eef2830591a4979d2b506a0686a7f2 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -21,6 +21,11 @@ variables:
MAVEN_PROJECTS: "-pl partition-core,provider/partition-gcp"
OSDU_GCP_TEST_SUBDIR: testing/$OSDU_GCP_SERVICE-test-$OSDU_GCP_VENDOR
OSDU_GCP_HELM_PACKAGE_CHARTS: "devops/gcp/deploy devops/gcp/configmap"
+ OSDU_GCP_HELM_NAMESPACE: default
+ OSDU_GCP_HELM_CONFIG_SERVICE_VARS: "--set data.partition_admin_accounts=$OSDU_GCP_PARTITION_ADMIN_ACCOUNTS --set data.google_cloud_project=$OSDU_GCP_PROJECT --set data.google_audiences=$GOOGLE_AUDIENCE --set data.log_level=INFO --set data.key_ring=$OSDU_GCP_PARTITION_KEY_RING --set data.kms_key=$OSDU_GCP_PARTITION_KMS_KEY"
+ OSDU_GCP_HELM_DEPLOYMENT_SERVICE_VARS: "--set data.image=$CI_REGISTRY_IMAGE/osdu-gcp:$CI_COMMIT_SHORT_SHA --set data.serviceAccountName=workload-identity-partition"
+ OSDU_GCP_HELM_CONFIG_SERVICE: partition-config
+ OSDU_GCP_HELM_DEPLOYMENT_SERVICE: partition-deploy
include:
- project: "osdu/platform/ci-cd-pipelines"
@@ -45,7 +50,10 @@ include:
file: "cloud-providers/ibm.yml"
- project: "osdu/platform/ci-cd-pipelines"
- file: "cloud-providers/osdu-gcp-cloudrun.yml"
+ file: "cloud-providers/osdu-gcp-gke.yml"
+
+ - project: "osdu/platform/ci-cd-pipelines"
+ file: 'cloud-providers/osdu-gcp-global.yml'
- project: "osdu/platform/ci-cd-pipelines"
file: "publishing/pages.yml"
diff --git a/README.md b/README.md
index 9672c34cb046a6681dfd01d725990bbbf96ea654..2b1b855d0b217e7b511e3c3d0f2bb706d9a2c420 100644
--- a/README.md
+++ b/README.md
@@ -25,4 +25,4 @@ Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
-limitations under the License.
\ No newline at end of file
+limitations under the License.
diff --git a/devops/azure/chart/helm-config.yaml b/devops/azure/chart/helm-config.yaml
index cf8438efec51d9e3aef1b1edd2c4ff7f4e17ca0b..89157496f323e000d9c149870ed0b7cc70c1fa05 100644
--- a/devops/azure/chart/helm-config.yaml
+++ b/devops/azure/chart/helm-config.yaml
@@ -3,6 +3,8 @@ global:
# Service(s) Replica Count
replicaCount: 2
+ nodepool: services
+ isAutoscalingEnabled: false
################################################################################
# Specify the Gitlab branch being used for image creation
diff --git a/devops/azure/chart/templates/deployment.yaml b/devops/azure/chart/templates/deployment.yaml
index 9cad45fe5b65d9b340320ab9eeb71f67e861b595..41f3b2a47e175ed112d280b5d905d4fb6f0dee87 100644
--- a/devops/azure/chart/templates/deployment.yaml
+++ b/devops/azure/chart/templates/deployment.yaml
@@ -28,6 +28,10 @@ spec:
app: {{ .Chart.Name }}
aadpodidbinding: osdu-identity
spec:
+{{- if .Values.global.isAutoscalingEnabled }}
+ nodeSelector:
+ nodepool: {{ .Values.global.nodepool }}
+{{- end }}
volumes:
- name: azure-keyvault
csi:
diff --git a/devops/azure/chart/values.yaml b/devops/azure/chart/values.yaml
index 1122f9080d85c0a34c38ef5dac8d99747ab05651..90c2c83ff2333108dc351f642fce4bcba46fc3fb 100644
--- a/devops/azure/chart/values.yaml
+++ b/devops/azure/chart/values.yaml
@@ -14,6 +14,8 @@
global:
replicaCount: 1
+ nodepool: services
+ isAutoscalingEnabled: false
image:
repository: community.opengroup.org:5555/osdu/platform/system/partition
diff --git a/devops/gcp/configmap/templates/partition-variables.yml b/devops/gcp/configmap/templates/partition-variables.yml
index 1eb6ac1529946a67954f510d980ae080ebfe7011..9896f5645e0c0a097b7ba24f180816fb2aa59d18 100644
--- a/devops/gcp/configmap/templates/partition-variables.yml
+++ b/devops/gcp/configmap/templates/partition-variables.yml
@@ -7,7 +7,7 @@ metadata:
namespace: "{{ .Release.Namespace }}"
data:
GOOGLE_CLOUD_PROJECT: "{{ .Values.data.google_cloud_project }}"
- PARTITION_ADMIN_ACCOUNT: "{{ .Values.data.partition_admin_account }}"
+ PARTITION_ADMIN_ACCOUNTS: "{{ .Values.data.partition_admin_accounts }}"
GOOGLE_AUDIENCES: "{{ .Values.data.google_audiences }}"
KEY_RING: "{{ .Values.data.key_ring }}"
KMS_KEY: "{{ .Values.data.kms_key }}"
diff --git a/devops/gcp/configmap/values.yaml b/devops/gcp/configmap/values.yaml
index fa714ddfa01e409a97b5138c1872a2619535c401..ae3a9c094550d022d7d9e10cb4854bf2d936d837 100644
--- a/devops/gcp/configmap/values.yaml
+++ b/devops/gcp/configmap/values.yaml
@@ -1,6 +1,6 @@
data:
google_cloud_project: ""
- partition_admin_account: ""
+ partition_admin_accounts: ""
google_audiences: ""
key_ring: ""
kms_key: ""
diff --git a/devops/gcp/deploy/values.yaml b/devops/gcp/deploy/values.yaml
index eb04941e60824f8e7f8a06343c1639d6a5df60f9..5c61ec5a66e553990e6c65803991b89ee537b3e6 100644
--- a/devops/gcp/deploy/values.yaml
+++ b/devops/gcp/deploy/values.yaml
@@ -4,7 +4,7 @@
data:
requests_cpu: "0.25"
- requests_memory: "128M"
+ requests_memory: "256M"
limits_cpu: "1"
limits_memory: "1G"
serviceAccountName: ""
diff --git a/docs/api/partition_openapi.yaml b/docs/api/partition_openapi.yaml
index df9712e0b20e57538718224d6cc82cf75b29a713..e540fcbc34ea5acf88494c8682e5539b6ab83914 100644
--- a/docs/api/partition_openapi.yaml
+++ b/docs/api/partition_openapi.yaml
@@ -15,6 +15,8 @@ tags:
description: Partition Api
- name: health-check
description: Health Check
+ - name: info
+ description: "Version info endpoint"
paths:
/actuator/health:
get:
@@ -214,6 +216,21 @@ paths:
security:
- JWT:
- global
+ /info:
+ get:
+ tags:
+ - info
+ summary: "Version info"
+ description: "For deployment available public `/info` endpoint, \
+ \ which provides build and git related information."
+ operationId: "Version info"
+ produces:
+ - "application/json"
+ responses:
+ 200:
+ description: "Version info."
+ schema:
+ $ref: "#/definitions/VersionInfo"
securityDefinitions:
JWT:
type: apiKey
@@ -241,6 +258,46 @@ definitions:
cosmos-connection:
sensitive: true
value: 'cosmos-connection'
+ VersionInfo:
+ type: "object"
+ properties:
+ groupId:
+ type: "string"
+ description: "Maven artifact group ID."
+ actifactId:
+ type: "string"
+ description: "Maven artifact ID."
+ version:
+ type: "string"
+ description: "Maven artifact version"
+ buildTime:
+ type: "string"
+ description: "Maven artifact build time"
+ branch:
+ type: "string"
+ description: "Current git branch"
+ commitId:
+ type: "string"
+ description: "Latest commit hash"
+ commitMessage:
+ type: "string"
+ description: "Latest commit message"
+ connectedOuterServices:
+ type: "array"
+ description: "Connected outer services information"
+ items:
+ $ref: "#/definitions/ConnectedOuterService"
+ description: "Version info."
+ ConnectedOuterService:
+ type: "object"
+ properties:
+ name:
+ type: "string"
+ description: "Connected outer service name."
+ version:
+ type: "string"
+ description: "Connected outer service version."
+ description: "Connected outer service information."
Property:
type: object
properties:
diff --git a/docs/tutorial/Partition.md b/docs/tutorial/Partition.md
index d3bad4589a346fd08ca19d17455f9e4ab9e6b453..4b9ec6ccc402f04297dd0e9bd05442f22a3d06d8 100644
--- a/docs/tutorial/Partition.md
+++ b/docs/tutorial/Partition.md
@@ -10,7 +10,7 @@
* [Update an existing partition](#update-partition)
* [Delete an existing partition](#delete-partition)
* [List of partitions](#list-partition)
-
+* [Version info endpoint](#version-info-endpoint)
## Introduction <a name="introduction"></a>
Partition service is responsible for creating and retrieving the partition specific properties (secret and non-secret) on behalf of other services.
@@ -200,4 +200,40 @@ A sample output is shown below.
</details>
-[Back to Table of Contents](#TOC)
\ No newline at end of file
+[Back to Table of Contents](#TOC)
+
+## Version info endpoint
+For deployment available public `/info` endpoint, which provides build and git related information.
+#### Example response:
+```json
+{
+ "groupId": "org.opengroup.osdu",
+ "artifactId": "storage-gcp",
+ "version": "0.10.0-SNAPSHOT",
+ "buildTime": "2021-07-09T14:29:51.584Z",
+ "branch": "feature/GONRG-2681_Build_info",
+ "commitId": "7777",
+ "commitMessage": "Added copyright to version info properties file",
+ "connectedOuterServices": [
+ {
+ "name": "elasticSearch",
+ "version":"..."
+ },
+ {
+ "name": "postgresSql",
+ "version":"..."
+ },
+ {
+ "name": "redis",
+ "version":"..."
+ }
+ ]
+}
+```
+This endpoint takes information from files, generated by `spring-boot-maven-plugin`,
+`git-commit-id-plugin` plugins. Need to specify paths for generated files to matching
+properties:
+- `version.info.buildPropertiesPath`
+- `version.info.gitPropertiesPath`
+
+[Back to table of contents](#TOC)
diff --git a/partition-core/src/main/java/org/opengroup/osdu/partition/api/InfoApi.java b/partition-core/src/main/java/org/opengroup/osdu/partition/api/InfoApi.java
new file mode 100644
index 0000000000000000000000000000000000000000..3bd4885b44bc2271b63383827e546bcc5b1898dc
--- /dev/null
+++ b/partition-core/src/main/java/org/opengroup/osdu/partition/api/InfoApi.java
@@ -0,0 +1,40 @@
+/*
+ * Copyright 2021 Google LLC
+ * Copyright 2021 EPAM Systems, Inc
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.opengroup.osdu.partition.api;
+
+import java.io.IOException;
+import org.opengroup.osdu.core.common.info.VersionInfoBuilder;
+import org.opengroup.osdu.core.common.model.info.VersionInfo;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.http.MediaType;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+@RestController
+@RequestMapping
+public class InfoApi {
+
+ @Autowired
+ private VersionInfoBuilder versionInfoBuilder;
+
+ @GetMapping(value = "/info", produces = MediaType.APPLICATION_JSON_VALUE)
+ public VersionInfo info() throws IOException {
+ return versionInfoBuilder.buildVersionInfo();
+ }
+}
diff --git a/pom.xml b/pom.xml
index 5b8cb91d9bdd8fa7cdc246b35f528357cb421851..76b4b09fdb82df561d5a978c1bfd8c47cd0e43ef 100644
--- a/pom.xml
+++ b/pom.xml
@@ -26,7 +26,7 @@
<maven.compiler.target>1.8</maven.compiler.target>
<maven.compiler.source>1.8</maven.compiler.source>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
- <os-core-common.version>0.10.0</os-core-common.version>
+ <os-core-common.version>0.11.0-SNAPSHOT</os-core-common.version>
<org.springframework.boot.version>2.4.5</org.springframework.boot.version>
</properties>
@@ -86,9 +86,40 @@
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
<version>${org.springframework.boot.version}</version>
+ <executions>
+ <execution>
+ <id>build-info</id>
+ <goals>
+ <goal>build-info</goal>
+ </goals>
+ </execution>
+ </executions>
</plugin>
</plugins>
</pluginManagement>
+
+ <plugins>
+ <plugin>
+ <groupId>pl.project13.maven</groupId>
+ <artifactId>git-commit-id-plugin</artifactId>
+ <version>4.0.5</version>
+ <executions>
+ <execution>
+ <goals>
+ <goal>revision</goal>
+ </goals>
+ </execution>
+ </executions>
+ <configuration>
+ <verbose>true</verbose>
+ <dateFormat>yyyy-MM-dd'T'HH:mm:ssZ</dateFormat>
+ <generateGitPropertiesFile>true</generateGitPropertiesFile>
+ <generateGitPropertiesFilename>
+ ${project.build.outputDirectory}/git.properties
+ </generateGitPropertiesFilename>
+ </configuration>
+ </plugin>
+ </plugins>
</build>
<modules>
diff --git a/provider/partition-azure/src/main/java/org/opengroup/osdu/partition/provider/azure/security/AADSecurityConfig.java b/provider/partition-azure/src/main/java/org/opengroup/osdu/partition/provider/azure/security/AADSecurityConfig.java
index ba916caea6eb66b0e9bb2dd4789825cf8393dbe4..74294bef5653362c8db58e6e5c5fea46d00f833f 100644
--- a/provider/partition-azure/src/main/java/org/opengroup/osdu/partition/provider/azure/security/AADSecurityConfig.java
+++ b/provider/partition-azure/src/main/java/org/opengroup/osdu/partition/provider/azure/security/AADSecurityConfig.java
@@ -47,6 +47,7 @@ public class AADSecurityConfig extends WebSecurityConfigurerAdapter {
"/configuration/security",
"/swagger",
"/swagger-ui.html",
+ "/info",
"/webjars/**").permitAll()
.anyRequest().authenticated()
.and()
diff --git a/provider/partition-gcp/README.md b/provider/partition-gcp/README.md
index 8c50e5fa221c4e7aa1f149f453be98851a5cdc43..c03c96599e7d7b6ce6f2939f25433f1de7321a40 100644
--- a/provider/partition-gcp/README.md
+++ b/provider/partition-gcp/README.md
@@ -22,7 +22,7 @@ In order to run the service locally or remotely, you will need to have the follo
| `AUTHORIZE_API` | ex `https://entitlements.com/entitlements/v1` | Entitlements API endpoint | no | output of infrastructure deployment |
| `GOOGLE_CLOUD_PROJECT` | ex `osdu-cicd-epam` | Google Cloud Project Id| no | output of infrastructure deployment |
| `GOOGLE_AUDIENCES` | ex `*****.apps.googleusercontent.com` | Client ID for getting access to cloud resources | yes | https://console.cloud.google.com/apis/credentials |
-| `PARTITION_ADMIN_ACCOUNT` | ex `admin@domen.iam.gserviceaccount.com` | Partition Admin account email | no | - |
+| `PARTITION_ADMIN_ACCOUNTS` | ex `admin@domen.iam.gserviceaccount.com,osdu-gcp-sa,workload-identity` | List of partition admin account emails, could be in full form like `admin@domen.iam.gserviceaccount.com` or in `starts with` pattern like `osdu-gcp-sa`| no | - |
| `GOOGLE_APPLICATION_CREDENTIALS` | ex `/path/to/directory/service-key.json` | Service account credentials, you only need this if running locally | yes | https://console.cloud.google.com/iam-admin/serviceaccounts |
| `KEY_RING` | ex `csqp` | A key ring holds keys in a specific Google Cloud location and permit us to manage access control on groups of keys | yes | https://cloud.google.com/kms/docs/resource-hierarchy#key_rings |
| `KMS_KEY` | ex `partitionService` | A key exists on one key ring linked to a specific location. | yes | https://cloud.google.com/kms/docs/resource-hierarchy#key_rings |
diff --git a/provider/partition-gcp/src/main/java/org/opengroup/osdu/partition/provider/gcp/config/IDTokenVerifierConfiguration.java b/provider/partition-gcp/src/main/java/org/opengroup/osdu/partition/provider/gcp/config/IDTokenVerifierConfiguration.java
new file mode 100644
index 0000000000000000000000000000000000000000..fce0f246c5b51ee8a99308813b88982363f662b5
--- /dev/null
+++ b/provider/partition-gcp/src/main/java/org/opengroup/osdu/partition/provider/gcp/config/IDTokenVerifierConfiguration.java
@@ -0,0 +1,44 @@
+/*
+ * Copyright 2021 Google LLC
+ * Copyright 2021 EPAM Systems, Inc
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.opengroup.osdu.partition.provider.gcp.config;
+
+import com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier;
+import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport;
+import com.google.api.client.json.jackson2.JacksonFactory;
+import java.io.IOException;
+import java.security.GeneralSecurityException;
+import java.util.Collections;
+import lombok.RequiredArgsConstructor;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+
+@Configuration
+@RequiredArgsConstructor
+public class IDTokenVerifierConfiguration {
+
+ private final PropertiesConfiguration configuration;
+
+ @Bean
+ public GoogleIdTokenVerifier buildTokenVerifier() throws GeneralSecurityException, IOException {
+ return new GoogleIdTokenVerifier.Builder(
+ GoogleNetHttpTransport.newTrustedTransport(),
+ JacksonFactory.getDefaultInstance())
+ .setAudience(Collections.singleton(configuration.getGoogleAudiences()))
+ .build();
+ }
+}
diff --git a/provider/partition-gcp/src/main/java/org/opengroup/osdu/partition/provider/gcp/config/PropertiesConfiguration.java b/provider/partition-gcp/src/main/java/org/opengroup/osdu/partition/provider/gcp/config/PropertiesConfiguration.java
index 5d236f428953df44ea986cd06f6f36565584b03b..7edd2c7b651c70bbd9744e00ebdf96a11a03aab0 100644
--- a/provider/partition-gcp/src/main/java/org/opengroup/osdu/partition/provider/gcp/config/PropertiesConfiguration.java
+++ b/provider/partition-gcp/src/main/java/org/opengroup/osdu/partition/provider/gcp/config/PropertiesConfiguration.java
@@ -17,6 +17,9 @@
package org.opengroup.osdu.partition.provider.gcp.config;
+import java.util.List;
+import java.util.Objects;
+import javax.annotation.PostConstruct;
import lombok.Getter;
import lombok.Setter;
import org.springframework.boot.context.properties.ConfigurationProperties;
@@ -30,9 +33,21 @@ public class PropertiesConfiguration {
private String googleAudiences;
- private String partitionAdminAccount;
+ private List<String> partitionAdminAccounts;
+
+ private String googleCloudProject;
private int cacheExpiration;
private int cacheMaxSize;
+
+ private String serviceAccountTail;
+
+ @PostConstruct
+ public void setUp() {
+ if (Objects.isNull(serviceAccountTail) || serviceAccountTail.isEmpty()) {
+ this.serviceAccountTail = googleCloudProject + ".iam.gserviceaccount.com";
+ }
+ }
+
}
diff --git a/provider/partition-gcp/src/main/java/org/opengroup/osdu/partition/provider/gcp/security/AuthorizationService.java b/provider/partition-gcp/src/main/java/org/opengroup/osdu/partition/provider/gcp/security/AuthorizationService.java
index 0eb1809166e251e6c78c5036b8621bbc2fb14148..2fe2c6198a81c525f74177f41581db8da604f360 100644
--- a/provider/partition-gcp/src/main/java/org/opengroup/osdu/partition/provider/gcp/security/AuthorizationService.java
+++ b/provider/partition-gcp/src/main/java/org/opengroup/osdu/partition/provider/gcp/security/AuthorizationService.java
@@ -19,9 +19,7 @@ package org.opengroup.osdu.partition.provider.gcp.security;
import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
import com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier;
-import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport;
-import com.google.api.client.json.jackson2.JacksonFactory;
-import java.util.Collections;
+import java.util.List;
import java.util.Objects;
import lombok.RequiredArgsConstructor;
import lombok.extern.slf4j.Slf4j;
@@ -43,6 +41,8 @@ public class AuthorizationService implements IAuthorizationService {
private final DpsHeaders headers;
+ private final GoogleIdTokenVerifier verifier;
+
@Override
public boolean isDomainAdminServiceAccount() {
if (Objects.isNull(headers.getAuthorization()) || headers.getAuthorization().isEmpty()) {
@@ -50,13 +50,6 @@ public class AuthorizationService implements IAuthorizationService {
}
String email = null;
try {
- GoogleIdTokenVerifier verifier =
- new GoogleIdTokenVerifier.Builder(
- GoogleNetHttpTransport.newTrustedTransport(),
- JacksonFactory.getDefaultInstance())
- .setAudience(Collections.singleton(configuration.getGoogleAudiences()))
- .build();
-
String authorization = headers.getAuthorization().replace("Bearer ", "");
GoogleIdToken googleIdToken = verifier.verify(authorization);
if (Objects.isNull(googleIdToken)) {
@@ -64,25 +57,37 @@ public class AuthorizationService implements IAuthorizationService {
throw AppException.createUnauthorized("Unauthorized. The JWT token could not be validated");
}
email = googleIdToken.getPayload().getEmail();
- String partitionAdminAccount = configuration.getPartitionAdminAccount();
- if (Objects.nonNull(partitionAdminAccount) && !partitionAdminAccount.isEmpty()) {
- if (email.equals(partitionAdminAccount)) {
- return true;
- } else {
- throw AppException
- .createUnauthorized(String.format("Unauthorized. The user %s is untrusted.", email));
- }
+ List<String> partitionAdminAccounts = configuration.getPartitionAdminAccounts();
+ if (Objects.nonNull(partitionAdminAccounts) && !partitionAdminAccounts.isEmpty()) {
+ return isAllowedAccount(email);
} else {
- if (StringUtils.endsWithIgnoreCase(email, "gserviceaccount.com")) {
+ if (StringUtils.endsWith(email, configuration.getServiceAccountTail())) {
return true;
} else {
throw AppException.createUnauthorized(
String.format("Unauthorized. The user %s is not Service Principal", email));
}
}
+ } catch (AppException e){
+ throw e;
} catch (Exception ex) {
log.warn(String.format("User %s is not unauthorized. %s.", email, ex));
throw AppException.createUnauthorized("Unauthorized. The JWT token could not be validated");
}
}
+
+ private boolean isAllowedAccount(String accountEmail) {
+ if (StringUtils.endsWith(accountEmail, configuration.getServiceAccountTail())) {
+ for (String partitionAdmin : configuration.getPartitionAdminAccounts()) {
+ if (partitionAdmin.equals(accountEmail)) {
+ return true;
+ }
+ if (StringUtils.startsWith(accountEmail, partitionAdmin)) {
+ return true;
+ }
+ }
+ }
+ throw AppException
+ .createUnauthorized(String.format("Unauthorized. The user %s is untrusted.", accountEmail));
+ }
}
diff --git a/provider/partition-gcp/src/main/resources/application.properties b/provider/partition-gcp/src/main/resources/application.properties
index aea6a99cf6f88c4b3d89973ed394abd449395f61..2e9ae364d253c5f63a282f58be489332e96b3b7f 100644
--- a/provider/partition-gcp/src/main/resources/application.properties
+++ b/provider/partition-gcp/src/main/resources/application.properties
@@ -18,7 +18,7 @@ KEY_RING=${key-ring}
KMS_KEY=${kms-key}
GOOGLE_CLOUD_PROJECT=${google-cloud-project}
google-audiences=123.apps.googleusercontent.com
-partition-admin-account=admin@domen.iam.gserviceaccount.com
+partition-admin-accounts=osdu-gcp-sa
#logging configuration
logging.level.org.springframework.web=${LOG_LEVEL:DEBUG}
diff --git a/provider/partition-gcp/src/test/java/org/opengroup/osdu/partition/provider/gcp/security/AuthorizationServiceTest.java b/provider/partition-gcp/src/test/java/org/opengroup/osdu/partition/provider/gcp/security/AuthorizationServiceTest.java
new file mode 100644
index 0000000000000000000000000000000000000000..93fbdd643d512eb88f47ba9e87f0129d63f79ff5
--- /dev/null
+++ b/provider/partition-gcp/src/test/java/org/opengroup/osdu/partition/provider/gcp/security/AuthorizationServiceTest.java
@@ -0,0 +1,127 @@
+/*
+ * Copyright 2021 Google LLC
+ * Copyright 2021 EPAM Systems, Inc
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.opengroup.osdu.partition.provider.gcp.security;
+
+import static org.junit.Assert.assertTrue;
+import static org.mockito.Mockito.when;
+
+import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
+import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken.Payload;
+import com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier;
+import com.google.common.collect.ImmutableList;
+import java.io.IOException;
+import java.security.GeneralSecurityException;
+import java.util.List;
+import org.junit.Before;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.experimental.theories.DataPoints;
+import org.junit.experimental.theories.FromDataPoints;
+import org.junit.experimental.theories.Theories;
+import org.junit.experimental.theories.Theory;
+import org.junit.rules.ExpectedException;
+import org.junit.runner.RunWith;
+import org.mockito.InjectMocks;
+import org.mockito.Mock;
+import org.mockito.MockitoAnnotations;
+import org.opengroup.osdu.core.common.model.http.AppException;
+import org.opengroup.osdu.core.common.model.http.DpsHeaders;
+import org.opengroup.osdu.partition.provider.gcp.config.PropertiesConfiguration;
+
+@RunWith(Theories.class)
+public class AuthorizationServiceTest {
+
+ private final String token = "abc";
+
+ private final String serviceAccountTail = "project-id.iam.gserviceaccount.com";
+
+ private final List<String> partitionAdminAccounts = ImmutableList.of("osdu-gcp-sa", "service.account@project-id.iam.gserviceaccount.com");
+
+ @Rule
+ public ExpectedException exceptionRule = ExpectedException.none();
+
+ @DataPoints("VALID_ACCOUNTS")
+ public static List<String> validTestSet() {
+ return ImmutableList.of(
+ "osdu-gcp-sa-first@project-id.iam.gserviceaccount.com",
+ "osdu-gcp-sa-second@project-id.iam.gserviceaccount.com",
+ "osdu-gcp-sa-third@project-id.iam.gserviceaccount.com",
+ "osdu-gcp-sa-fourth@project-id.iam.gserviceaccount.com");
+ }
+
+ @DataPoints("NOT_VALID_ACCOUNTS")
+ public static List<String> notValidTestSet() {
+ return ImmutableList.of(
+ "osdu-gcp-sa-first@google.com",
+ "osdu-gcp-sa-second@project-id.iam.gserviceaccount.com.not.valid",
+ "user-osdu-gcp-sa-third@project-id.iam.gserviceaccount.com");
+ }
+
+ @Mock
+ private PropertiesConfiguration configuration;
+
+ @Mock
+ private GoogleIdTokenVerifier verifier;
+
+ @Mock
+ private GoogleIdToken googleIdToken;
+
+ @Mock
+ private DpsHeaders headers;
+
+ private Payload payload = new Payload();
+
+ @InjectMocks
+ private AuthorizationService authorizationService;
+
+ @Before
+ public void setUp() throws GeneralSecurityException, IOException {
+ MockitoAnnotations.initMocks(this);
+ when(configuration.getPartitionAdminAccounts()).thenReturn(partitionAdminAccounts);
+ when(configuration.getServiceAccountTail()).thenReturn(serviceAccountTail);
+ when(headers.getAuthorization()).thenReturn(token);
+ when(verifier.verify(token)).thenReturn(googleIdToken);
+ when(googleIdToken.getPayload()).thenReturn(payload);
+
+ }
+
+ @Test
+ public void testProvidedInConfigAdminAccountShouldReturnTrue() {
+ payload.setEmail("service.account@project-id.iam.gserviceaccount.com");
+ assertTrue(authorizationService.isDomainAdminServiceAccount());
+ }
+
+ @Test(expected = AppException.class)
+ public void testNotProvidedInConfigAdminAccountShouldThrowException() {
+ payload.setEmail("user@google.com");
+ authorizationService.isDomainAdminServiceAccount();
+ }
+
+ @Theory
+ public void testProvidedInConfigPatternShouldReturnTrue(@FromDataPoints("VALID_ACCOUNTS") String account) {
+ payload.setEmail(account);
+ assertTrue(authorizationService.isDomainAdminServiceAccount());
+ }
+
+ @Theory
+ public void testNotProvidedInConfigPatternShouldReturnTrue(@FromDataPoints("NOT_VALID_ACCOUNTS") String account) {
+ exceptionRule.expect(AppException.class);
+ payload.setEmail(account);
+ authorizationService.isDomainAdminServiceAccount();
+ }
+}
\ No newline at end of file
diff --git a/testing/partition-test-aws/src/test/java/org/opengroup/osdu/partition/api/TestGetVersionInfo.java b/testing/partition-test-aws/src/test/java/org/opengroup/osdu/partition/api/TestGetVersionInfo.java
new file mode 100644
index 0000000000000000000000000000000000000000..baa931ac761e26a134acb716f3705941c58e2f45
--- /dev/null
+++ b/testing/partition-test-aws/src/test/java/org/opengroup/osdu/partition/api/TestGetVersionInfo.java
@@ -0,0 +1,20 @@
+package org.opengroup.osdu.partition.api;
+
+import org.junit.After;
+import org.junit.Before;
+import org.opengroup.osdu.partition.util.AwsTestUtils;
+
+public class TestGetVersionInfo extends GetVersionInfoApiTest {
+
+ @Before
+ @Override
+ public void setup() throws Exception {
+ this.testUtils = new AwsTestUtils();
+ }
+
+ @After
+ @Override
+ public void tearDown() throws Exception {
+ this.testUtils = null;
+ }
+}
diff --git a/testing/partition-test-azure/src/test/java/org/opengroup/osdu/partition/api/TestGetVersionInfo.java b/testing/partition-test-azure/src/test/java/org/opengroup/osdu/partition/api/TestGetVersionInfo.java
new file mode 100644
index 0000000000000000000000000000000000000000..75a838d98e4917f6b45c98f40901dd1b10f66353
--- /dev/null
+++ b/testing/partition-test-azure/src/test/java/org/opengroup/osdu/partition/api/TestGetVersionInfo.java
@@ -0,0 +1,20 @@
+package org.opengroup.osdu.partition.api;
+
+import org.junit.After;
+import org.junit.Before;
+import org.opengroup.osdu.partition.util.AzureTestUtils;
+
+public class TestGetVersionInfo extends GetVersionInfoApiTest {
+
+ @Before
+ @Override
+ public void setup() throws Exception {
+ this.testUtils = new AzureTestUtils();
+ }
+
+ @After
+ @Override
+ public void tearDown() throws Exception {
+ this.testUtils = null;
+ }
+}
diff --git a/testing/partition-test-core/src/main/java/org/opengroup/osdu/partition/api/GetVersionInfoApiTest.java b/testing/partition-test-core/src/main/java/org/opengroup/osdu/partition/api/GetVersionInfoApiTest.java
new file mode 100644
index 0000000000000000000000000000000000000000..86291eeed8ace7f6a62df0f8e45bce2c035165cc
--- /dev/null
+++ b/testing/partition-test-core/src/main/java/org/opengroup/osdu/partition/api/GetVersionInfoApiTest.java
@@ -0,0 +1,53 @@
+/*
+ * Copyright 2021 Google LLC
+ * Copyright 2021 EPAM Systems, Inc
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.opengroup.osdu.partition.api;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;
+
+import com.sun.jersey.api.client.ClientResponse;
+import org.junit.Test;
+import org.opengroup.osdu.partition.util.TestBase;
+import org.opengroup.osdu.partition.util.TestUtils;
+import org.opengroup.osdu.partition.util.VersionInfoUtils;
+import org.springframework.http.HttpMethod;
+import org.springframework.http.HttpStatus;
+
+public abstract class GetVersionInfoApiTest extends TestBase {
+
+ protected static final VersionInfoUtils VERSION_INFO_UTILS = new VersionInfoUtils();
+
+ @Test
+ public void should_returnInfo() throws Exception {
+ ClientResponse response = TestUtils
+ .send("api/partition/v1/info", HttpMethod.GET.name(), this.testUtils.getAccessToken(), "",
+ "", false);
+ assertEquals(HttpStatus.OK.value(), response.getStatus());
+
+ VersionInfoUtils.VersionInfo responseObject = VERSION_INFO_UTILS
+ .getVersionInfoFromResponse(response);
+
+ assertNotNull(responseObject.groupId);
+ assertNotNull(responseObject.artifactId);
+ assertNotNull(responseObject.version);
+ assertNotNull(responseObject.buildTime);
+ assertNotNull(responseObject.branch);
+ assertNotNull(responseObject.commitId);
+ assertNotNull(responseObject.commitMessage);
+ }
+}
diff --git a/testing/partition-test-core/src/main/java/org/opengroup/osdu/partition/util/VersionInfoUtils.java b/testing/partition-test-core/src/main/java/org/opengroup/osdu/partition/util/VersionInfoUtils.java
new file mode 100644
index 0000000000000000000000000000000000000000..0918d6c92caba4b1e7cf9a5ccbe610cd2782ca7e
--- /dev/null
+++ b/testing/partition-test-core/src/main/java/org/opengroup/osdu/partition/util/VersionInfoUtils.java
@@ -0,0 +1,44 @@
+/*
+ * Copyright 2021 Google LLC
+ * Copyright 2021 EPAM Systems, Inc
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.opengroup.osdu.partition.util;
+
+import static org.junit.Assert.assertTrue;
+
+import com.google.gson.Gson;
+import com.sun.jersey.api.client.ClientResponse;
+
+public class VersionInfoUtils {
+
+ public VersionInfo getVersionInfoFromResponse(ClientResponse response) {
+ assertTrue(response.getType().toString().contains("application/json"));
+ String json = response.getEntity(String.class);
+ Gson gson = new Gson();
+ return gson.fromJson(json, VersionInfo.class);
+ }
+
+ public class VersionInfo {
+
+ public String groupId;
+ public String artifactId;
+ public String version;
+ public String buildTime;
+ public String branch;
+ public String commitId;
+ public String commitMessage;
+ }
+}
diff --git a/testing/partition-test-gcp/src/test/java/org/opengroup/osdu/partition/api/TestGetVersionInfo.java b/testing/partition-test-gcp/src/test/java/org/opengroup/osdu/partition/api/TestGetVersionInfo.java
new file mode 100644
index 0000000000000000000000000000000000000000..513958fa3d4b194f5da6c14a9ab3e1763e74802b
--- /dev/null
+++ b/testing/partition-test-gcp/src/test/java/org/opengroup/osdu/partition/api/TestGetVersionInfo.java
@@ -0,0 +1,37 @@
+/*
+ * Copyright 2021 Google LLC
+ * Copyright 2021 EPAM Systems, Inc
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.opengroup.osdu.partition.api;
+
+import org.junit.After;
+import org.junit.Before;
+import org.opengroup.osdu.partition.util.GCPTestUtils;
+
+public class TestGetVersionInfo extends GetVersionInfoApiTest {
+
+ @Before
+ @Override
+ public void setup() throws Exception {
+ this.testUtils = new GCPTestUtils();
+ }
+
+ @After
+ @Override
+ public void tearDown() throws Exception {
+ this.testUtils = null;
+ }
+}
diff --git a/testing/partition-test-ibm/src/test/java/org/opengroup/osdu/partition/api/TestGetVersionInfo.java b/testing/partition-test-ibm/src/test/java/org/opengroup/osdu/partition/api/TestGetVersionInfo.java
new file mode 100644
index 0000000000000000000000000000000000000000..7d4f37045cc2c9df2c383b421e3c328a3333b729
--- /dev/null
+++ b/testing/partition-test-ibm/src/test/java/org/opengroup/osdu/partition/api/TestGetVersionInfo.java
@@ -0,0 +1,20 @@
+package org.opengroup.osdu.partition.api;
+
+import org.junit.After;
+import org.junit.Before;
+import org.opengroup.osdu.partition.util.IBMTestUtils;
+
+public class TestGetVersionInfo extends GetVersionInfoApiTest {
+
+ @Before
+ @Override
+ public void setup() throws Exception {
+ this.testUtils = new IBMTestUtils();
+ }
+
+ @After
+ @Override
+ public void tearDown() throws Exception {
+ this.testUtils = null;
+ }
+}