Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in / Register
Toggle navigation
Menu
Open sidebar
Open Subsurface Data Universe Software
Platform
System
Partition
Commits
ec6be0cf
Commit
ec6be0cf
authored
Apr 12, 2021
by
Rustam Lotsmanenko (EPAM)
Browse files
GONRG-1843 Change authentication for PartitionService to work under SA
parent
ec745d7a
Changes
4
Hide whitespace changes
Inline
Side-by-side
provider/partition-gcp/src/main/java/org/opengroup/osdu/partition/provider/gcp/config/PropertiesConfiguration.java
View file @
ec6be0cf
...
...
@@ -28,9 +28,11 @@ import org.springframework.context.annotation.Configuration;
@Setter
public
class
PropertiesConfiguration
{
private
String
authorizeApi
;
private
String
googleAudiences
;
private
int
cacheExpiration
;
private
String
partitionAdminAccount
;
private
int
cacheMaxSize
;
private
int
cacheExpiration
;
private
int
cacheMaxSize
;
}
provider/partition-gcp/src/main/java/org/opengroup/osdu/partition/provider/gcp/security/AuthorizationService.java
View file @
ec6be0cf
...
...
@@ -17,14 +17,18 @@
package
org.opengroup.osdu.partition.provider.gcp.security
;
import
com.google.api.client.googleapis.auth.oauth2.GoogleIdToken
;
import
com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier
;
import
com.google.api.client.googleapis.javanet.GoogleNetHttpTransport
;
import
com.google.api.client.json.jackson2.JacksonFactory
;
import
java.util.Collections
;
import
java.util.Objects
;
import
lombok.RequiredArgsConstructor
;
import
lombok.extern.slf4j.Slf4j
;
import
org.opengroup.osdu.core.common.model.entitlements.AuthorizationResponse
;
import
org.opengroup.osdu.core.common.model.http.AppException
;
import
org.apache.commons.lang3.StringUtils
;
import
org.opengroup.osdu.core.common.model.http.DpsHeaders
;
import
org.opengroup.osdu.partition.provider.gcp.config.PropertiesConfiguration
;
import
org.opengroup.osdu.partition.provider.interfaces.IAuthorizationService
;
import
org.springframework.http.HttpStatus
;
import
org.springframework.stereotype.Component
;
import
org.springframework.web.context.annotation.RequestScope
;
...
...
@@ -34,23 +38,35 @@ import org.springframework.web.context.annotation.RequestScope;
@RequiredArgsConstructor
public
class
AuthorizationService
implements
IAuthorizationService
{
private
static
final
String
PARTITION_ADMIN_ROLE
=
"service.partition.admin"
;
private
final
PropertiesConfiguration
configuration
;
private
final
DpsHeaders
headers
;
private
final
DpsHeaders
headers
;
private
final
org
.
opengroup
.
osdu
.
core
.
common
.
provider
.
interfaces
.
IAuthorizationService
authorizationServiceImpl
;
@Override
public
boolean
isDomainAdminServiceAccount
()
{
try
{
GoogleIdTokenVerifier
verifier
=
new
GoogleIdTokenVerifier
.
Builder
(
GoogleNetHttpTransport
.
newTrustedTransport
(),
JacksonFactory
.
getDefaultInstance
())
.
setAudience
(
Collections
.
singleton
(
configuration
.
getGoogleAudiences
()))
.
build
();
@Override
public
boolean
isDomainAdminServiceAccount
()
{
try
{
AuthorizationResponse
authorizationResponse
=
authorizationServiceImpl
.
authorizeAny
(
headers
,
PARTITION_ADMIN_ROLE
);
}
catch
(
AppException
e
)
{
throw
e
;
}
catch
(
Exception
e
)
{
throw
new
AppException
(
HttpStatus
.
INTERNAL_SERVER_ERROR
.
value
(),
"Authentication Failure"
,
e
.
getMessage
(),
e
);
String
authorization
=
headers
.
getAuthorization
().
replace
(
"Bearer "
,
""
);
GoogleIdToken
googleIdToken
=
verifier
.
verify
(
authorization
);
if
(
Objects
.
isNull
(
googleIdToken
))
{
log
.
warn
(
"Not valid token provided"
);
return
false
;
}
String
email
=
googleIdToken
.
getPayload
().
getEmail
();
String
partitionAdminAccount
=
configuration
.
getPartitionAdminAccount
();
if
(
Objects
.
nonNull
(
partitionAdminAccount
)
&&
!
partitionAdminAccount
.
isEmpty
())
{
return
email
.
equals
(
partitionAdminAccount
);
}
return
StringUtils
.
endsWithIgnoreCase
(
email
,
"gserviceaccount.com"
);
}
catch
(
Exception
e
)
{
log
.
warn
(
"Not valid or expired token provided"
);
return
false
;
}
}
return
true
;
}
}
provider/partition-gcp/src/main/java/org/opengroup/osdu/partition/provider/gcp/security/EntitlementsClientFactory.java
deleted
100644 → 0
View file @
ec745d7a
/*
Copyright 2002-2021 Google LLC
Copyright 2002-2021 EPAM Systems, Inc
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package
org.opengroup.osdu.partition.provider.gcp.security
;
import
lombok.RequiredArgsConstructor
;
import
javax.inject.Inject
;
import
org.opengroup.osdu.core.common.entitlements.EntitlementsAPIConfig
;
import
org.opengroup.osdu.core.common.entitlements.EntitlementsFactory
;
import
org.opengroup.osdu.core.common.entitlements.IEntitlementsFactory
;
import
org.opengroup.osdu.core.common.http.json.HttpResponseBodyMapper
;
import
org.opengroup.osdu.partition.provider.gcp.config.PropertiesConfiguration
;
import
org.springframework.beans.factory.config.AbstractFactoryBean
;
import
org.springframework.stereotype.Component
;
@Component
@RequiredArgsConstructor
public
class
EntitlementsClientFactory
extends
AbstractFactoryBean
<
IEntitlementsFactory
>
{
private
final
PropertiesConfiguration
properties
;
@Inject
private
HttpResponseBodyMapper
httpResponseBodyMapper
;
@Override
protected
IEntitlementsFactory
createInstance
()
throws
Exception
{
return
new
EntitlementsFactory
(
EntitlementsAPIConfig
.
builder
()
.
rootUrl
(
properties
.
getAuthorizeApi
())
.
build
(),
httpResponseBodyMapper
);
}
@Override
public
Class
<?>
getObjectType
()
{
return
IEntitlementsFactory
.
class
;
}
}
provider/partition-gcp/src/main/resources/application.properties
View file @
ec6be0cf
...
...
@@ -17,6 +17,7 @@ kms-key=searchService
KEY_RING
=
${key-ring}
KMS_KEY
=
${kms-key}
GOOGLE_CLOUD_PROJECT
=
${google-cloud-project}
google-audiences
=
519000754840-r12fqsd3e12aqep8c5f3j3t3emv8jeg1.apps.googleusercontent.com
#logging configuration
logging.level.org.springframework.web
=
${LOG_LEVEL:DEBUG}
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment