diff --git a/provider/partition-gcp/README.md b/provider/partition-gcp/README.md
index d4dde2dda176f4e42ecc2aedade901f7cb353f80..a60430b2d842c1d4057cb6b98ce85262d8dd074c 100644
--- a/provider/partition-gcp/README.md
+++ b/provider/partition-gcp/README.md
@@ -21,6 +21,8 @@ In order to run the service locally or remotely, you will need to have the follo
| `SERVER_SERVLET_CONTEXPATH` | `/api/partition/v1` | Servlet context path | no | - |
| `AUTHORIZE_API` | ex `https://entitlements.com/entitlements/v1` | Entitlements API endpoint | no | output of infrastructure deployment |
| `GOOGLE_CLOUD_PROJECT` | ex `osdu-cicd-epam` | Google Cloud Project Id| no | output of infrastructure deployment |
+| `GOOGLE_AUDIENCES` | ex `*****.apps.googleusercontent.com` | Client ID for getting access to cloud resources | yes | https://console.cloud.google.com/apis/credentials |
+| `PARTITION_ADMIN_ACCOUNT` | ex `admin@domen.iam.gserviceaccount.com` | Partition Admin account email | no | - |
| `GOOGLE_APPLICATION_CREDENTIALS` | ex `/path/to/directory/service-key.json` | Service account credentials, you only need this if running locally | yes | https://console.cloud.google.com/iam-admin/serviceaccounts |
### Run Locally
@@ -115,14 +117,9 @@ You will need to have the following environment variables defined.
| `PARTITION_BASE_URL` | ex `http://localhost:8080/` | service base URL | yes | |
| `CLIENT_TENANT` | ex `opendes` | name of the client partition | yes | |
| `MY_TENANT` | ex `opendes` | name of the OSDU partition | yes | |
-| `INTEGRATION_TESTER` | `********` | Service account for API calls. Note: this user must have entitlements configured already. Base64 encoded string | yes | https://console.cloud.google.com/iam-admin/serviceaccounts |
+| `INTEGRATION_TESTER` | `********` | Service account for API calls. Note: this user must be `PARTITION_ADMIN_ACCOUNT` | yes | https://console.cloud.google.com/iam-admin/serviceaccounts |
| `NO_DATA_ACCESS_TESTER` | `********` | Service account base64 encoded string without data access | yes | https://console.cloud.google.com/iam-admin/serviceaccounts |
| `INTEGRATION_TEST_AUDIENCE` | `********` | client application ID | yes | https://console.cloud.google.com/apis/credentials |
-**Entitlements configuration for integration accounts**
-
-| INTEGRATION_TESTER | NO_DATA_ACCESS_TESTER |
-| --- | --- |
-| users<br/>service.entitlements.user<br/>service.partition.admin<br/>data.test1<br/>data.integration.test<br/>users@{tenant1}@{domain}.com | users <br/>service.entitlements.user<br/> |
Execute following command to build code and run all the integration tests:
diff --git a/provider/partition-gcp/src/main/java/org/opengroup/osdu/partition/provider/gcp/config/PropertiesConfiguration.java b/provider/partition-gcp/src/main/java/org/opengroup/osdu/partition/provider/gcp/config/PropertiesConfiguration.java
index 9475913cf2877cae635c911fa3de372df5b90a83..5d236f428953df44ea986cd06f6f36565584b03b 100644
--- a/provider/partition-gcp/src/main/java/org/opengroup/osdu/partition/provider/gcp/config/PropertiesConfiguration.java
+++ b/provider/partition-gcp/src/main/java/org/opengroup/osdu/partition/provider/gcp/config/PropertiesConfiguration.java
@@ -28,9 +28,11 @@ import org.springframework.context.annotation.Configuration;
@Setter
public class PropertiesConfiguration {
- private String authorizeApi;
+ private String googleAudiences;
- private int cacheExpiration;
+ private String partitionAdminAccount;
- private int cacheMaxSize;
+ private int cacheExpiration;
+
+ private int cacheMaxSize;
}
diff --git a/provider/partition-gcp/src/main/java/org/opengroup/osdu/partition/provider/gcp/security/AuthorizationService.java b/provider/partition-gcp/src/main/java/org/opengroup/osdu/partition/provider/gcp/security/AuthorizationService.java
index b19b061ba369931346107deb371d5a6779238748..a015d6b7f99075e47512dc14f73cdbd3f4c312e0 100644
--- a/provider/partition-gcp/src/main/java/org/opengroup/osdu/partition/provider/gcp/security/AuthorizationService.java
+++ b/provider/partition-gcp/src/main/java/org/opengroup/osdu/partition/provider/gcp/security/AuthorizationService.java
@@ -17,14 +17,18 @@
package org.opengroup.osdu.partition.provider.gcp.security;
+import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
+import com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier;
+import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport;
+import com.google.api.client.json.jackson2.JacksonFactory;
+import java.util.Collections;
import java.util.Objects;
import lombok.RequiredArgsConstructor;
import lombok.extern.slf4j.Slf4j;
-import org.opengroup.osdu.core.common.model.entitlements.AuthorizationResponse;
-import org.opengroup.osdu.core.common.model.http.AppException;
+import org.apache.commons.lang3.StringUtils;
import org.opengroup.osdu.core.common.model.http.DpsHeaders;
+import org.opengroup.osdu.partition.provider.gcp.config.PropertiesConfiguration;
import org.opengroup.osdu.partition.provider.interfaces.IAuthorizationService;
-import org.springframework.http.HttpStatus;
import org.springframework.stereotype.Component;
import org.springframework.web.context.annotation.RequestScope;
@@ -34,23 +38,35 @@ import org.springframework.web.context.annotation.RequestScope;
@RequiredArgsConstructor
public class AuthorizationService implements IAuthorizationService {
- private static final String PARTITION_ADMIN_ROLE = "service.partition.admin";
+ private final PropertiesConfiguration configuration;
- private final DpsHeaders headers;
+ private final DpsHeaders headers;
- private final org.opengroup.osdu.core.common.provider.interfaces.IAuthorizationService authorizationServiceImpl;
+ @Override
+ public boolean isDomainAdminServiceAccount() {
+ try {
+ GoogleIdTokenVerifier verifier =
+ new GoogleIdTokenVerifier.Builder(
+ GoogleNetHttpTransport.newTrustedTransport(),
+ JacksonFactory.getDefaultInstance())
+ .setAudience(Collections.singleton(configuration.getGoogleAudiences()))
+ .build();
- @Override
- public boolean isDomainAdminServiceAccount() {
- try {
- AuthorizationResponse authorizationResponse = authorizationServiceImpl
- .authorizeAny(headers, PARTITION_ADMIN_ROLE);
- } catch (AppException e) {
- throw e;
- } catch (Exception e) {
- throw new AppException(HttpStatus.INTERNAL_SERVER_ERROR.value(), "Authentication Failure",
- e.getMessage(), e);
+ String authorization = headers.getAuthorization().replace("Bearer ", "");
+ GoogleIdToken googleIdToken = verifier.verify(authorization);
+ if (Objects.isNull(googleIdToken)) {
+ log.warn("Not valid token provided");
+ return false;
+ }
+ String email = googleIdToken.getPayload().getEmail();
+ String partitionAdminAccount = configuration.getPartitionAdminAccount();
+ if (Objects.nonNull(partitionAdminAccount) && !partitionAdminAccount.isEmpty()) {
+ return email.equals(partitionAdminAccount);
+ }
+ return StringUtils.endsWithIgnoreCase(email, "gserviceaccount.com");
+ } catch (Exception e) {
+ log.warn("Not valid or expired token provided");
+ return false;
+ }
}
- return true;
- }
}
diff --git a/provider/partition-gcp/src/main/java/org/opengroup/osdu/partition/provider/gcp/security/EntitlementsClientFactory.java b/provider/partition-gcp/src/main/java/org/opengroup/osdu/partition/provider/gcp/security/EntitlementsClientFactory.java
deleted file mode 100644
index ce48a3673c0f8fa7407286529296458f1754a6b4..0000000000000000000000000000000000000000
--- a/provider/partition-gcp/src/main/java/org/opengroup/osdu/partition/provider/gcp/security/EntitlementsClientFactory.java
+++ /dev/null
@@ -1,55 +0,0 @@
-/*
- Copyright 2002-2021 Google LLC
- Copyright 2002-2021 EPAM Systems, Inc
-
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
- */
-
-package org.opengroup.osdu.partition.provider.gcp.security;
-
-import lombok.RequiredArgsConstructor;
-
-import javax.inject.Inject;
-
-import org.opengroup.osdu.core.common.entitlements.EntitlementsAPIConfig;
-import org.opengroup.osdu.core.common.entitlements.EntitlementsFactory;
-import org.opengroup.osdu.core.common.entitlements.IEntitlementsFactory;
-import org.opengroup.osdu.core.common.http.json.HttpResponseBodyMapper;
-import org.opengroup.osdu.partition.provider.gcp.config.PropertiesConfiguration;
-import org.springframework.beans.factory.config.AbstractFactoryBean;
-import org.springframework.stereotype.Component;
-
-@Component
-@RequiredArgsConstructor
-public class EntitlementsClientFactory extends AbstractFactoryBean<IEntitlementsFactory> {
-
- private final PropertiesConfiguration properties;
-
- @Inject
- private HttpResponseBodyMapper httpResponseBodyMapper;
-
- @Override
- protected IEntitlementsFactory createInstance() throws Exception {
-
- return new EntitlementsFactory(EntitlementsAPIConfig
- .builder()
- .rootUrl(properties.getAuthorizeApi())
- .build(),
- httpResponseBodyMapper);
- }
-
- @Override
- public Class<?> getObjectType() {
- return IEntitlementsFactory.class;
- }
-}
diff --git a/provider/partition-gcp/src/main/resources/application.properties b/provider/partition-gcp/src/main/resources/application.properties
index 3f9c4e0ded14515f36e82c034a1fb3de189d4ba6..3bb3b7343933e9414aee898abbd4834773f5308a 100644
--- a/provider/partition-gcp/src/main/resources/application.properties
+++ b/provider/partition-gcp/src/main/resources/application.properties
@@ -17,6 +17,8 @@ kms-key=searchService
KEY_RING=${key-ring}
KMS_KEY=${kms-key}
GOOGLE_CLOUD_PROJECT=${google-cloud-project}
+google-audiences=123.apps.googleusercontent.com
+partition-admin-account=admin@domen.iam.gserviceaccount.com
#logging configuration
logging.level.org.springframework.web=${LOG_LEVEL:DEBUG}