GONRG-1843 Change authentication for PartitionService to work under SA

ec6be0cf · Rustam Lotsmanenko (EPAM) · ec745d7a · ec6be0cf · ec6be0cf · ec745d7a
Commit ec6be0cf authored Apr 12, 2021 by Rustam Lotsmanenko (EPAM)
--- a/provider/partition-gcp/src/main/java/org/opengroup/osdu/partition/provider/gcp/config/PropertiesConfiguration.java
+++ b/provider/partition-gcp/src/main/java/org/opengroup/osdu/partition/provider/gcp/config/PropertiesConfiguration.java
@@ -28,9 +28,11 @@ import org.springframework.context.annotation.Configuration;
 @Setter
 public class PropertiesConfiguration {

-  private String authorizeApi;
+    private String googleAudiences;

-  private int cacheExpiration;
+    private String partitionAdminAccount;

-  private int cacheMaxSize;
+    private int cacheExpiration;
+
+    private int cacheMaxSize;
 }
--- a/provider/partition-gcp/src/main/java/org/opengroup/osdu/partition/provider/gcp/security/AuthorizationService.java
+++ b/provider/partition-gcp/src/main/java/org/opengroup/osdu/partition/provider/gcp/security/AuthorizationService.java
@@ -17,14 +17,18 @@

 package org.opengroup.osdu.partition.provider.gcp.security;

+import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
+import com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier;
+import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport;
+import com.google.api.client.json.jackson2.JacksonFactory;
+import java.util.Collections;
 import java.util.Objects;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
-import org.opengroup.osdu.core.common.model.entitlements.AuthorizationResponse;
-import org.opengroup.osdu.core.common.model.http.AppException;
+import org.apache.commons.lang3.StringUtils;
 import org.opengroup.osdu.core.common.model.http.DpsHeaders;
+import org.opengroup.osdu.partition.provider.gcp.config.PropertiesConfiguration;
 import org.opengroup.osdu.partition.provider.interfaces.IAuthorizationService;
-import org.springframework.http.HttpStatus;
 import org.springframework.stereotype.Component;
 import org.springframework.web.context.annotation.RequestScope;

@@ -34,23 +38,35 @@ import org.springframework.web.context.annotation.RequestScope;
 @RequiredArgsConstructor
 public class AuthorizationService implements IAuthorizationService {

-  private static final String PARTITION_ADMIN_ROLE = "service.partition.admin";
+    private final PropertiesConfiguration configuration;

-  private final DpsHeaders headers;
+    private final DpsHeaders headers;

-  private final org.opengroup.osdu.core.common.provider.interfaces.IAuthorizationService authorizationServiceImpl;
+    @Override
+    public boolean isDomainAdminServiceAccount() {
+        try {
+            GoogleIdTokenVerifier verifier =
+                new GoogleIdTokenVerifier.Builder(
+                    GoogleNetHttpTransport.newTrustedTransport(),
+                    JacksonFactory.getDefaultInstance())
+                    .setAudience(Collections.singleton(configuration.getGoogleAudiences()))
+                    .build();

-  @Override
-  public boolean isDomainAdminServiceAccount() {
-    try {
-      AuthorizationResponse authorizationResponse = authorizationServiceImpl
-          .authorizeAny(headers, PARTITION_ADMIN_ROLE);
-    } catch (AppException e) {
-      throw e;
-    } catch (Exception e) {
-      throw new AppException(HttpStatus.INTERNAL_SERVER_ERROR.value(), "Authentication Failure",
-          e.getMessage(), e);
+            String authorization = headers.getAuthorization().replace("Bearer ", "");
+            GoogleIdToken googleIdToken = verifier.verify(authorization);
+            if (Objects.isNull(googleIdToken)) {
+                log.warn("Not valid token provided");
+                return false;
+            }
+            String email = googleIdToken.getPayload().getEmail();
+            String partitionAdminAccount = configuration.getPartitionAdminAccount();
+            if (Objects.nonNull(partitionAdminAccount) && !partitionAdminAccount.isEmpty()) {
+                return email.equals(partitionAdminAccount);
+            }
+            return StringUtils.endsWithIgnoreCase(email, "gserviceaccount.com");
+        } catch (Exception e) {
+            log.warn("Not valid or expired token provided");
+            return false;
+        }
    }
-    return true;
-  }
 }
--- a/provider/partition-gcp/src/main/java/org/opengroup/osdu/partition/provider/gcp/security/EntitlementsClientFactory.java
+++ b/provider/partition-gcp/src/main/java/org/opengroup/osdu/partition/provider/gcp/security/EntitlementsClientFactory.java
-/*
-  Copyright 2002-2021 Google LLC
-  Copyright 2002-2021 EPAM Systems, Inc
-
-  Licensed under the Apache License, Version 2.0 (the "License");
-  you may not use this file except in compliance with the License.
-  You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-  Unless required by applicable law or agreed to in writing, software
-  distributed under the License is distributed on an "AS IS" BASIS,
-  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-  See the License for the specific language governing permissions and
-  limitations under the License.
- */
-
-package org.opengroup.osdu.partition.provider.gcp.security;
-
-import lombok.RequiredArgsConstructor;
-
-import javax.inject.Inject;
-
-import org.opengroup.osdu.core.common.entitlements.EntitlementsAPIConfig;
-import org.opengroup.osdu.core.common.entitlements.EntitlementsFactory;
-import org.opengroup.osdu.core.common.entitlements.IEntitlementsFactory;
-import org.opengroup.osdu.core.common.http.json.HttpResponseBodyMapper;
-import org.opengroup.osdu.partition.provider.gcp.config.PropertiesConfiguration;
-import org.springframework.beans.factory.config.AbstractFactoryBean;
-import org.springframework.stereotype.Component;
-
-@Component
-@RequiredArgsConstructor
-public class EntitlementsClientFactory extends AbstractFactoryBean<IEntitlementsFactory> {
-
-  private final PropertiesConfiguration properties;
-
-  @Inject
-	private HttpResponseBodyMapper httpResponseBodyMapper;
-
-  @Override
-  protected IEntitlementsFactory createInstance() throws Exception {
-
-    return new EntitlementsFactory(EntitlementsAPIConfig
-        .builder()
-        .rootUrl(properties.getAuthorizeApi())
-        .build(),
-        httpResponseBodyMapper);
-  }
-
-  @Override
-  public Class<?> getObjectType() {
-    return IEntitlementsFactory.class;
-  }
-}
--- a/provider/partition-gcp/src/main/resources/application.properties
+++ b/provider/partition-gcp/src/main/resources/application.properties
@@ -17,6 +17,7 @@ kms-key=searchService
 KEY_RING=${key-ring}
 KMS_KEY=${kms-key}
 GOOGLE_CLOUD_PROJECT=${google-cloud-project}
+google-audiences=519000754840-r12fqsd3e12aqep8c5f3j3t3emv8jeg1.apps.googleusercontent.com

 #logging configuration
 logging.level.org.springframework.web=${LOG_LEVEL:DEBUG}