Commit ec6be0cf authored by Rustam Lotsmanenko (EPAM)'s avatar Rustam Lotsmanenko (EPAM)
Browse files

GONRG-1843 Change authentication for PartitionService to work under SA

parent ec745d7a
......@@ -28,9 +28,11 @@ import org.springframework.context.annotation.Configuration;
@Setter
public class PropertiesConfiguration {
private String authorizeApi;
private String googleAudiences;
private int cacheExpiration;
private String partitionAdminAccount;
private int cacheMaxSize;
private int cacheExpiration;
private int cacheMaxSize;
}
......@@ -17,14 +17,18 @@
package org.opengroup.osdu.partition.provider.gcp.security;
import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
import com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier;
import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport;
import com.google.api.client.json.jackson2.JacksonFactory;
import java.util.Collections;
import java.util.Objects;
import lombok.RequiredArgsConstructor;
import lombok.extern.slf4j.Slf4j;
import org.opengroup.osdu.core.common.model.entitlements.AuthorizationResponse;
import org.opengroup.osdu.core.common.model.http.AppException;
import org.apache.commons.lang3.StringUtils;
import org.opengroup.osdu.core.common.model.http.DpsHeaders;
import org.opengroup.osdu.partition.provider.gcp.config.PropertiesConfiguration;
import org.opengroup.osdu.partition.provider.interfaces.IAuthorizationService;
import org.springframework.http.HttpStatus;
import org.springframework.stereotype.Component;
import org.springframework.web.context.annotation.RequestScope;
......@@ -34,23 +38,35 @@ import org.springframework.web.context.annotation.RequestScope;
@RequiredArgsConstructor
public class AuthorizationService implements IAuthorizationService {
private static final String PARTITION_ADMIN_ROLE = "service.partition.admin";
private final PropertiesConfiguration configuration;
private final DpsHeaders headers;
private final DpsHeaders headers;
private final org.opengroup.osdu.core.common.provider.interfaces.IAuthorizationService authorizationServiceImpl;
@Override
public boolean isDomainAdminServiceAccount() {
try {
GoogleIdTokenVerifier verifier =
new GoogleIdTokenVerifier.Builder(
GoogleNetHttpTransport.newTrustedTransport(),
JacksonFactory.getDefaultInstance())
.setAudience(Collections.singleton(configuration.getGoogleAudiences()))
.build();
@Override
public boolean isDomainAdminServiceAccount() {
try {
AuthorizationResponse authorizationResponse = authorizationServiceImpl
.authorizeAny(headers, PARTITION_ADMIN_ROLE);
} catch (AppException e) {
throw e;
} catch (Exception e) {
throw new AppException(HttpStatus.INTERNAL_SERVER_ERROR.value(), "Authentication Failure",
e.getMessage(), e);
String authorization = headers.getAuthorization().replace("Bearer ", "");
GoogleIdToken googleIdToken = verifier.verify(authorization);
if (Objects.isNull(googleIdToken)) {
log.warn("Not valid token provided");
return false;
}
String email = googleIdToken.getPayload().getEmail();
String partitionAdminAccount = configuration.getPartitionAdminAccount();
if (Objects.nonNull(partitionAdminAccount) && !partitionAdminAccount.isEmpty()) {
return email.equals(partitionAdminAccount);
}
return StringUtils.endsWithIgnoreCase(email, "gserviceaccount.com");
} catch (Exception e) {
log.warn("Not valid or expired token provided");
return false;
}
}
return true;
}
}
/*
Copyright 2002-2021 Google LLC
Copyright 2002-2021 EPAM Systems, Inc
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package org.opengroup.osdu.partition.provider.gcp.security;
import lombok.RequiredArgsConstructor;
import javax.inject.Inject;
import org.opengroup.osdu.core.common.entitlements.EntitlementsAPIConfig;
import org.opengroup.osdu.core.common.entitlements.EntitlementsFactory;
import org.opengroup.osdu.core.common.entitlements.IEntitlementsFactory;
import org.opengroup.osdu.core.common.http.json.HttpResponseBodyMapper;
import org.opengroup.osdu.partition.provider.gcp.config.PropertiesConfiguration;
import org.springframework.beans.factory.config.AbstractFactoryBean;
import org.springframework.stereotype.Component;
@Component
@RequiredArgsConstructor
public class EntitlementsClientFactory extends AbstractFactoryBean<IEntitlementsFactory> {
private final PropertiesConfiguration properties;
@Inject
private HttpResponseBodyMapper httpResponseBodyMapper;
@Override
protected IEntitlementsFactory createInstance() throws Exception {
return new EntitlementsFactory(EntitlementsAPIConfig
.builder()
.rootUrl(properties.getAuthorizeApi())
.build(),
httpResponseBodyMapper);
}
@Override
public Class<?> getObjectType() {
return IEntitlementsFactory.class;
}
}
......@@ -17,6 +17,7 @@ kms-key=searchService
KEY_RING=${key-ring}
KMS_KEY=${kms-key}
GOOGLE_CLOUD_PROJECT=${google-cloud-project}
google-audiences=519000754840-r12fqsd3e12aqep8c5f3j3t3emv8jeg1.apps.googleusercontent.com
#logging configuration
logging.level.org.springframework.web=${LOG_LEVEL:DEBUG}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment