Commit b3e74933 authored by Anuj Gupta's avatar Anuj Gupta
Browse files

Merge branch 'ibm-update' into 'master'

IBM update

See merge request !49
parents 2c9cdcda 65720d6b
Pipeline #37761 failed with stages
in 34 minutes and 12 seconds
......@@ -348,6 +348,7 @@ The following software have components provided under the terms of this license:
- Java Native Access (from https://github.com/java-native-access/jna)
- Java Native Access Platform (from https://github.com/java-native-access/jna)
- Javassist (from http://www.javassist.org/)
- Javassist (from http://www.javassist.org/)
- Jetty Server (from )
- Jetty Utilities (from )
- Joda-Time (from http://www.joda.org/joda-time/)
......@@ -358,6 +359,15 @@ The following software have components provided under the terms of this license:
- KeePassJava2 :: KDB (from https://repo1.maven.org/maven2/org/linguafranca/pwdb/KeePassJava2-kdb)
- KeePassJava2 :: KDBX (from https://repo1.maven.org/maven2/org/linguafranca/pwdb/KeePassJava2-kdbx)
- KeePassJava2 :: Simple (from https://repo1.maven.org/maven2/org/linguafranca/pwdb/KeePassJava2-simple)
- KeyCloak Authz: Client API (from )
- Keycloak :: Spring :: Boot :: Default :: Starter (from )
- Keycloak Adapter Core (from )
- Keycloak Adapter SPI (from )
- Keycloak Common (from )
- Keycloak Core (from )
- Keycloak Spring Boot 2 Integration (from )
- Keycloak Spring Boot Adapter Core (from )
- Keycloak Spring Security Integration (from )
- Logback Contrib :: JSON :: Classic (from )
- Logback Contrib :: JSON :: Core (from )
- Logback Contrib :: Jackson (from )
......@@ -561,6 +571,7 @@ The following software have components provided under the terms of this license:
- rest-high-level (from https://github.com/elastic/elasticsearch)
- rxjava (from https://github.com/ReactiveX/RxJava)
- secure-sm (from https://github.com/elastic/elasticsearch)
- spring-boot-container-bundle (from )
- spring-security-config (from http://spring.io/spring-security)
- spring-security-core (from http://spring.io/spring-security)
- spring-security-oauth2-client (from http://spring.io/spring-security)
......@@ -597,6 +608,7 @@ The following software have components provided under the terms of this license:
- GAX (Google Api eXtensions) (from https://github.com/googleapis)
- Hamcrest (from http://hamcrest.org/JavaHamcrest/)
- Hamcrest Core (from http://hamcrest.org/)
- HdrHistogram (from http://hdrhistogram.github.io/HdrHistogram/)
- Lucene Common Analyzers (from )
- Plexus :: Default Container (from )
- Plexus Common Utilities (from http://plexus.codehaus.org/plexus-utils)
......@@ -625,8 +637,10 @@ The following software have components provided under the terms of this license:
- Google Auth Library for Java - OAuth2 HTTP (from )
- Hamcrest (from http://hamcrest.org/JavaHamcrest/)
- Hamcrest Core (from http://hamcrest.org/)
- HdrHistogram (from http://hdrhistogram.github.io/HdrHistogram/)
- JDOM (from http://www.jdom.org)
- JSch (from http://www.jcraft.com/jsch/)
- JavaBeans Activation Framework (from )
- JavaBeans Activation Framework API jar (from )
- Lucene Common Analyzers (from )
- Lucene Core (from )
......@@ -795,6 +809,7 @@ The following software have components provided under the terms of this license:
- Java Native Access (from https://github.com/java-native-access/jna)
- Java Native Access Platform (from https://github.com/java-native-access/jna)
- Javassist (from http://www.javassist.org/)
- Javassist (from http://www.javassist.org/)
- Logback Classic Module (from )
- Logback Contrib :: JSON :: Classic (from )
- Logback Contrib :: JSON :: Core (from )
......@@ -811,6 +826,7 @@ LGPL-2.1-or-later
========================================================================
The following software have components provided under the terms of this license:
- Javassist (from http://www.javassist.org/)
- SnakeYAML (from http://www.snakeyaml.org)
========================================================================
......@@ -835,6 +851,7 @@ The following software have components provided under the terms of this license:
- Azure Java Client Runtime for AutoRest (from https://github.com/Azure/autorest-clientruntime-for-java)
- Azure Metrics Spring Boot Starter (from https://github.com/Microsoft/azure-spring-boot)
- Azure Spring Boot AutoConfigure (from https://github.com/Microsoft/azure-spring-boot)
- Bouncy Castle Provider (from http://www.bouncycastle.org/java.html)
- Checker Qual (from https://checkerframework.org)
- Extensions on Apache Proton-J library (from https://github.com/Azure/qpid-proton-j-extensions)
- JOpt Simple (from http://pholser.github.io/jopt-simple)
......@@ -886,12 +903,14 @@ The following software have components provided under the terms of this license:
- Cobertura code coverage (from http://cobertura.sourceforge.net)
- Javassist (from http://www.javassist.org/)
- Javassist (from http://www.javassist.org/)
========================================================================
MPL-2.0
========================================================================
The following software have components provided under the terms of this license:
- Javassist (from http://www.javassist.org/)
- Javassist (from http://www.javassist.org/)
- OkHttp (from )
......@@ -900,6 +919,7 @@ PHP-3.01
========================================================================
The following software have components provided under the terms of this license:
- JavaBeans Activation Framework (from )
- JavaBeans Activation Framework API jar (from )
- jakarta.xml.bind-api (from )
......@@ -952,9 +972,13 @@ The following software have components provided under the terms of this license:
- AWS Java SDK :: SDK Core (from https://aws.amazon.com/sdkforjava)
- AWS SDK for Java - Models (from https://aws.amazon.com/sdkforjava)
- Asynchronous Http Client (from )
- Bouncy Castle PKIX, CMS, EAC, TSP, PKCS, OCSP, CMP, and CRMF APIs (from http://www.bouncycastle.org/java.html)
- Bouncy Castle Provider (from http://www.bouncycastle.org/java.html)
- Guava: Google Core Libraries for Java (from https://github.com/google/guava.git)
- HdrHistogram (from http://hdrhistogram.github.io/HdrHistogram/)
- HdrHistogram (from http://hdrhistogram.github.io/HdrHistogram/)
- Joda-Time (from http://www.joda.org/joda-time/)
- Keycloak Common (from )
- LatencyUtils (from http://latencyutils.github.io/LatencyUtils/)
- Microsoft Application Insights Java SDK Core (from https://github.com/Microsoft/ApplicationInsights-Java)
- Microsoft Azure SDK for SQL API of Azure Cosmos DB Service (from https://github.com/Azure/azure-sdk-for-java)
......@@ -972,10 +996,13 @@ unknown
========================================================================
The following software have components provided under the terms of this license:
- Bouncy Castle PKIX, CMS, EAC, TSP, PKCS, OCSP, CMP, and CRMF APIs (from http://www.bouncycastle.org/java.html)
- Bouncy Castle Provider (from http://www.bouncycastle.org/java.html)
- Byte Buddy (without dependencies) (from )
- JUnit (from http://junit.org)
- JUnit (from http://junit.org)
- JUnit Jupiter (Aggregator) (from https://junit.org/junit5/)
- JavaBeans Activation Framework (from )
- JavaBeans Activation Framework API jar (from )
- JavaMail API (from )
- Servlet Specification 2.5 API (from )
......
......@@ -20,20 +20,15 @@
<packaging>jar</packaging>
<properties>
<aws.version>1.11.637</aws.version>
<version.keycloak>9.0.2</version.keycloak>
</properties>
<dependencies>
<!-- Internal packages -->
<dependency>
<groupId>org.opengroup.osdu</groupId>
<artifactId>os-core-common</artifactId>
<version>0.3.28</version>
</dependency>
<dependency>
<groupId>org.opengroup.osdu</groupId>
<artifactId>os-core-lib-ibm</artifactId>
<version>0.7.0</version>
<version>0.8.2</version>
</dependency>
<dependency>
<groupId>org.opengroup.osdu</groupId>
......@@ -43,10 +38,10 @@
<!-- Third party Apache 2.0 license packages -->
<dependency>
<!-- <dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
</dependency> -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-actuator</artifactId>
......@@ -119,6 +114,31 @@
<artifactId>spring-security-test</artifactId>
<scope>test</scope>
</dependency>
<!-- Keycloak -->
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-spring-boot-starter</artifactId>
<version>${version.keycloak}</version>
</dependency>
<!-- <dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-spring-boot-starter-security</artifactId>
<version>${version.keycloak}</version>
</dependency> -->
<!-- <dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-authz-client</artifactId>
<version>${version.keycloak}</version>
</dependency>
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-admin-client</artifactId>
<version>${version.keycloak}</version>
</dependency> -->
</dependencies>
<build>
......
......@@ -3,47 +3,52 @@
package org.opengroup.osdu.partition.provider.ibm.security;
import org.opengroup.osdu.core.common.entitlements.IEntitlementsAndCacheService;
import org.keycloak.KeycloakPrincipal;
import org.keycloak.KeycloakSecurityContext;
import org.opengroup.osdu.core.common.model.http.AppException;
import org.opengroup.osdu.core.common.model.http.DpsHeaders;
import org.opengroup.osdu.partition.provider.interfaces.IAuthorizationService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.http.HttpStatus;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Component;
import org.springframework.web.context.annotation.RequestScope;
import lombok.extern.slf4j.Slf4j;
@Component
@RequestScope
@Slf4j
public class AuthorizationService implements IAuthorizationService {
public static final String PARTITION_ADMIN_ROLE = "service.partition.admin";
@Autowired
private IEntitlementsAndCacheService entitlementsAndCacheService;
@Autowired
private DpsHeaders headers;
@Override
public boolean isDomainAdminServiceAccount() {
try {
return hasRole(PARTITION_ADMIN_ROLE);
}
catch (AppException e) {
throw e;
}
catch (Exception e) {
throw new AppException(HttpStatus.INTERNAL_SERVER_ERROR.value(), "Authentication Failure", e.getMessage(), e);
}
}
private boolean hasRole(String requiredRole) {
//headers.put(DpsHeaders.DATA_PARTITION_ID, PARTITION_NAME);
String user = entitlementsAndCacheService.authorize(headers, requiredRole);
headers.put(DpsHeaders.USER_EMAIL, user);
return true;
}
@Value("${service.partition.admin.user}")
String partitionAdminUser;
@Override
public boolean isDomainAdminServiceAccount() {
try {
final Authentication auth = SecurityContextHolder.getContext().getAuthentication();
@SuppressWarnings("unchecked")
KeycloakPrincipal<KeycloakSecurityContext> principal = (KeycloakPrincipal<KeycloakSecurityContext>) auth.getPrincipal();
String upn = principal.getName();
log.info("email : "+upn);
if(upn.equals(partitionAdminUser)) {
return true;
}
else {
throw AppException.createUnauthorized("Unauthorized. The user is not Service Principal");
}
}
catch (AppException e) {
throw e;
}
catch (Exception e) {
throw new AppException(HttpStatus.INTERNAL_SERVER_ERROR.value(), "Authentication Failure", e.getMessage(), e);
}
}
}
/* Licensed Materials - Property of IBM */
/* (c) Copyright IBM Corp. 2020. All Rights Reserved.*/
package org.opengroup.osdu.partition.provider.ibm.security;
import org.apache.http.HttpStatus;
import org.opengroup.osdu.core.common.model.entitlements.Acl;
import org.opengroup.osdu.core.common.model.http.DpsHeaders;
import org.opengroup.osdu.core.common.cache.ICache;
import org.opengroup.osdu.core.common.model.storage.RecordMetadata;
import org.opengroup.osdu.core.common.util.Crc32c;
import org.opengroup.osdu.core.common.model.entitlements.EntitlementsException;
import org.opengroup.osdu.core.common.model.entitlements.Groups;
import org.opengroup.osdu.core.common.model.http.AppException;
import org.opengroup.osdu.core.common.http.HttpResponse;
import org.opengroup.osdu.core.common.entitlements.IEntitlementsFactory;
import org.opengroup.osdu.core.common.entitlements.IEntitlementsService;
import org.opengroup.osdu.core.common.logging.JaxRsDpsLog;
import org.opengroup.osdu.core.common.entitlements.IEntitlementsAndCacheService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
@Service
public class EntitlementsAndCacheServiceImpl implements IEntitlementsAndCacheService {
private static final String ERROR_REASON = "Access denied";
private static final String ERROR_MSG = "The user is not authorized to perform this action";
@Autowired
private IEntitlementsFactory factory;
@Autowired
private ICache<String, Groups> cache;
@Autowired
private JaxRsDpsLog logger;
@Override
public String authorize(DpsHeaders headers, String... roles) {
Groups groups = this.getGroups(headers);
if (groups.any(roles)) {
return groups.getDesId();
} else {
throw new AppException(HttpStatus.SC_UNAUTHORIZED, ERROR_REASON, ERROR_MSG);
}
}
@Override
public boolean isValidAcl(DpsHeaders headers, Set<String> acls) {
Groups groups = this.getGroups(headers);
if (groups.getGroups() == null || groups.getGroups().isEmpty()) {
this.logger.error("Error on getting groups for user: " + headers.getUserEmail());
throw new AppException(HttpStatus.SC_INTERNAL_SERVER_ERROR, "Unknown error",
"Unknown error happened when validating ACL");
}
String email = groups.getGroups().get(0).getEmail();
if (!email.matches("^[a-zA-Z0-9_+&*-]+(?:\\.[a-zA-Z0-9_+&*-]+)*@(?:[a-zA-Z0-9-]+\\.)+[a-zA-Z]{2,7}$")) {
this.logger.error("Email address is invalid for this group: " + groups.getGroups().get(0));
throw new AppException(HttpStatus.SC_INTERNAL_SERVER_ERROR, "Unknown error",
"Unknown error happened when validating ACL");
}
String domain = email.split("@")[1];
for (String acl : acls) {
if (!acl.split("@")[1].equalsIgnoreCase(domain)) {
return false;
}
}
return true;
}
@Override
public boolean hasOwnerAccess(DpsHeaders headers, String[] ownerList) {
Groups groups = this.getGroups(headers);
Set<String> aclList = new HashSet<>();
for (String owner : ownerList) {
aclList.add(owner.split("@")[0]);
}
String[] acls = new String[aclList.size()];
return groups.any(aclList.toArray(acls));
}
@Override
public List<RecordMetadata> hasValidAccess(List<RecordMetadata> recordsMetadata, DpsHeaders headers) {
Groups groups = this.getGroups(headers);
List<RecordMetadata> result = new ArrayList<>();
for (RecordMetadata recordMetadata : recordsMetadata) {
Acl storageAcl = recordMetadata.getAcl();
if (hasAccess(storageAcl, groups)) {
result.add(recordMetadata);
} else {
this.logger.warning("Post ACL check fails: " + recordMetadata.getId());
}
}
return result;
}
private boolean hasAccess(Acl storageAcl, Groups groups) {
String[] viewers = storageAcl.getViewers();
String[] owners = storageAcl.getOwners();
Set<String> aclList = new HashSet<>();
for (String viewer : viewers) {
aclList.add(viewer.split("@")[0]);
}
for (String owner : owners) {
aclList.add(owner.split("@")[0]);
}
String[] acls = new String[aclList.size()];
if (groups.any(aclList.toArray(acls))) {
return true;
} else {
return false;
}
}
protected Groups getGroups(DpsHeaders headers) {
String cacheKey = this.getGroupCacheKey(headers);
Groups groups = this.cache.get(cacheKey);
if (groups == null) {
IEntitlementsService service = this.factory.create(headers);
try {
groups = service.getGroups();
this.cache.put(cacheKey, groups);
this.logger.info("Entitlements cache miss");
} catch (EntitlementsException e) {
e.printStackTrace();
HttpResponse response = e.getHttpResponse();
this.logger.error(String.format("Error requesting entitlements service %s", response));
throw new AppException(e.getHttpResponse().getResponseCode(), ERROR_REASON, ERROR_MSG, e);
}
}
return groups;
}
protected static String getGroupCacheKey(DpsHeaders headers) {
String key = String.format("entitlement-groups:%s:%s", headers.getPartitionIdWithFallbackToAccountId(),
headers.getAuthorization());
return Crc32c.hashToBase64EncodedString(key);
}
}
/* Licensed Materials - Property of IBM */
/* (c) Copyright IBM Corp. 2020. All Rights Reserved.*/
package org.opengroup.osdu.partition.provider.ibm.security;
import javax.inject.Inject;
import org.opengroup.osdu.core.common.entitlements.EntitlementsAPIConfig;
import org.opengroup.osdu.core.common.entitlements.EntitlementsFactory;
import org.opengroup.osdu.core.common.entitlements.IEntitlementsFactory;
import org.opengroup.osdu.core.common.http.json.HttpResponseBodyMapper;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.beans.factory.config.AbstractFactoryBean;
import org.springframework.stereotype.Component;
@Component
public class EntitlementsClientFactory extends AbstractFactoryBean<IEntitlementsFactory> {
@Value("${AUTHORIZE_API}")
private String AUTHORIZE_API;
@Value("${AUTHORIZE_API_KEY:}")
private String AUTHORIZE_API_KEY;
@Inject
private HttpResponseBodyMapper httpResponseBodyMapper;
@Override
protected IEntitlementsFactory createInstance() throws Exception {
return new EntitlementsFactory(EntitlementsAPIConfig
.builder()
.rootUrl(AUTHORIZE_API)
.apiKey(AUTHORIZE_API_KEY)
.build(),
httpResponseBodyMapper);
}
@Override
public Class<?> getObjectType() {
return IEntitlementsFactory.class;
}
}
\ No newline at end of file
/* Licensed Materials - Property of IBM */
/* (c) Copyright IBM Corp. 2020. All Rights Reserved.*/
package org.opengroup.osdu.partition.provider.ibm.security;
import org.keycloak.adapters.KeycloakConfigResolver;
import org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver;
import org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider;
import org.keycloak.adapters.springsecurity.config.KeycloakWebSecurityConfigurerAdapter;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.core.authority.mapping.SimpleAuthorityMapper;
import org.springframework.security.core.session.SessionRegistryImpl;
import org.springframework.security.web.authentication.session.NullAuthenticatedSessionStrategy;
import org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy;
import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, jsr250Enabled = true)
public class KeycloakSecurityConfig extends KeycloakWebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
super.configure(http);
http.authorizeRequests()
.anyRequest().authenticated().and().oauth2ResourceServer().jwt();
/* .anyRequest()
.permitAll();*/
http.csrf().disable();
http.headers().frameOptions().disable();
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
KeycloakAuthenticationProvider keycloakAuthenticationProvider = keycloakAuthenticationProvider();
keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(new SimpleAuthorityMapper());
auth.authenticationProvider(keycloakAuthenticationProvider);
}
@Bean
@Override
protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
return new NullAuthenticatedSessionStrategy();
}
@Bean
public KeycloakConfigResolver KeycloakConfigResolver() {
return new KeycloakSpringBootConfigResolver();
}
}
\ No newline at end of file
/* Licensed Materials - Property of IBM */
/* (c) Copyright IBM Corp. 2020. All Rights Reserved.*/
package org.opengroup.osdu.partition.provider.ibm.security;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@EnableWebSecurity
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfigIBM extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable().authorizeRequests()
.antMatchers("_ah/liveness_check",
"/_ah/readiness_check",
"/swagger-resources/**",
"/configuration/security",
"/webjars/**")
.permitAll().anyRequest().authenticated().and().oauth2ResourceServer().jwt();
}
}
\ No newline at end of file
......@@ -26,3 +26,33 @@ ibm.db.password=TODO
spring.security.oauth2.resourceserver.jwt.jwk-set-uri=TODO
##Keycloak for partition service
keycloak.realm=TODO
keycloak.auth-server-url=TODO
keycloak.resource=TODO
keycloak.credentials.secret=TODO
keycloak.ssl-required=TODO