Merge branch 'feature/GONRG-1843-work-under-SA' into gcp-auth-under-sa

# Conflicts: # provider/partition-gcp/src/main/java/org/opengroup/osdu/partition/provider/gcp/security/AuthorizationService.java

Merge branch 'feature/GONRG-1843-work-under-SA' into gcp-auth-under-sa
eedcc42a · Rustam Lotsmanenko (EPAM) · 2c9cdcda · 31b01d0d · eedcc42a · eedcc42a
Commit eedcc42a authored 3 years ago by Rustam Lotsmanenko (EPAM)
--- a/provider/partition-gcp/README.md
+++ b/provider/partition-gcp/README.md
@@ -21,6 +21,8 @@ In order to run the service locally or remotely, you will need to have the follo
 | `SERVER_SERVLET_CONTEXPATH` | `/api/partition/v1` | Servlet context path | no | - |
 | `AUTHORIZE_API` | ex `https://entitlements.com/entitlements/v1` | Entitlements API endpoint | no | output of infrastructure deployment |
 | `GOOGLE_CLOUD_PROJECT` | ex `osdu-cicd-epam` | Google Cloud Project Id| no | output of infrastructure deployment |
+| `GOOGLE_AUDIENCES` | ex `*****.apps.googleusercontent.com` | Client ID for getting access to cloud resources | yes | https://console.cloud.google.com/apis/credentials |
+| `PARTITION_ADMIN_ACCOUNT` | ex `admin@domen.iam.gserviceaccount.com` | Partition Admin account email | no | - |
 | `GOOGLE_APPLICATION_CREDENTIALS` | ex `/path/to/directory/service-key.json` | Service account credentials, you only need this if running locally | yes | https://console.cloud.google.com/iam-admin/serviceaccounts |

 ### Run Locally
@@ -115,14 +117,9 @@ You will need to have the following environment variables defined.
 | `PARTITION_BASE_URL` | ex `http://localhost:8080/` | service base URL | yes |  |
 | `CLIENT_TENANT` | ex `opendes` | name of the client partition | yes |  |
 | `MY_TENANT` | ex `opendes` | name of the OSDU partition | yes |  |
-| `INTEGRATION_TESTER` | `********` | Service account for API calls. Note: this user must have entitlements configured already. Base64 encoded string | yes | https://console.cloud.google.com/iam-admin/serviceaccounts |
+| `INTEGRATION_TESTER` | `********` | Service account for API calls. Note: this user must be `PARTITION_ADMIN_ACCOUNT` | yes | https://console.cloud.google.com/iam-admin/serviceaccounts |
 | `NO_DATA_ACCESS_TESTER` | `********` | Service account base64 encoded string without data access | yes | https://console.cloud.google.com/iam-admin/serviceaccounts |
 | `INTEGRATION_TEST_AUDIENCE` | `********` | client application ID | yes | https://console.cloud.google.com/apis/credentials |
-**Entitlements configuration for integration accounts**
-
-| INTEGRATION_TESTER | NO_DATA_ACCESS_TESTER | 
-| ---  | ---   |
-| users<br/>service.entitlements.user<br/>service.partition.admin<br/>data.test1<br/>data.integration.test<br/>users@{tenant1}@{domain}.com | users <br/>service.entitlements.user<br/> |

 Execute following command to build code and run all the integration tests:


--- a/provider/partition-gcp/src/main/java/org/opengroup/osdu/partition/provider/gcp/config/PropertiesConfiguration.java
+++ b/provider/partition-gcp/src/main/java/org/opengroup/osdu/partition/provider/gcp/config/PropertiesConfiguration.java
@@ -28,9 +28,11 @@ import org.springframework.context.annotation.Configuration;
 @Setter
 public class PropertiesConfiguration {

-  private String authorizeApi;
+    private String googleAudiences;

-  private int cacheExpiration;
+    private String partitionAdminAccount;

-  private int cacheMaxSize;
+    private int cacheExpiration;
+
+    private int cacheMaxSize;
 }
--- a/provider/partition-gcp/src/main/java/org/opengroup/osdu/partition/provider/gcp/security/AuthorizationService.java
+++ b/provider/partition-gcp/src/main/java/org/opengroup/osdu/partition/provider/gcp/security/AuthorizationService.java
@@ -17,14 +17,18 @@

 package org.opengroup.osdu.partition.provider.gcp.security;

+import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
+import com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier;
+import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport;
+import com.google.api.client.json.jackson2.JacksonFactory;
+import java.util.Collections;
 import java.util.Objects;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
-import org.opengroup.osdu.core.common.model.entitlements.AuthorizationResponse;
-import org.opengroup.osdu.core.common.model.http.AppException;
+import org.apache.commons.lang3.StringUtils;
 import org.opengroup.osdu.core.common.model.http.DpsHeaders;
+import org.opengroup.osdu.partition.provider.gcp.config.PropertiesConfiguration;
 import org.opengroup.osdu.partition.provider.interfaces.IAuthorizationService;
-import org.springframework.http.HttpStatus;
 import org.springframework.stereotype.Component;
 import org.springframework.web.context.annotation.RequestScope;

@@ -34,23 +38,35 @@ import org.springframework.web.context.annotation.RequestScope;
 @RequiredArgsConstructor
 public class AuthorizationService implements IAuthorizationService {

-  private static final String PARTITION_ADMIN_ROLE = "service.partition.admin";
+    private final PropertiesConfiguration configuration;

-  private final DpsHeaders headers;
+    private final DpsHeaders headers;

-  private final org.opengroup.osdu.core.common.provider.interfaces.IAuthorizationService authorizationServiceImpl;
+    @Override
+    public boolean isDomainAdminServiceAccount() {
+        try {
+            GoogleIdTokenVerifier verifier =
+                new GoogleIdTokenVerifier.Builder(
+                    GoogleNetHttpTransport.newTrustedTransport(),
+                    JacksonFactory.getDefaultInstance())
+                    .setAudience(Collections.singleton(configuration.getGoogleAudiences()))
+                    .build();

-  @Override
-  public boolean isDomainAdminServiceAccount() {
-    try {
-      AuthorizationResponse authorizationResponse = authorizationServiceImpl
-          .authorizeAny(headers, PARTITION_ADMIN_ROLE);
-    } catch (AppException e) {
-      throw e;
-    } catch (Exception e) {
-      throw new AppException(HttpStatus.INTERNAL_SERVER_ERROR.value(), "Authentication Failure",
-          e.getMessage(), e);
+            String authorization = headers.getAuthorization().replace("Bearer ", "");
+            GoogleIdToken googleIdToken = verifier.verify(authorization);
+            if (Objects.isNull(googleIdToken)) {
+                log.warn("Not valid token provided");
+                return false;
+            }
+            String email = googleIdToken.getPayload().getEmail();
+            String partitionAdminAccount = configuration.getPartitionAdminAccount();
+            if (Objects.nonNull(partitionAdminAccount) && !partitionAdminAccount.isEmpty()) {
+                return email.equals(partitionAdminAccount);
+            }
+            return StringUtils.endsWithIgnoreCase(email, "gserviceaccount.com");
+        } catch (Exception e) {
+            log.warn("Not valid or expired token provided");
+            return false;
+        }
    }
-    return true;
-  }
 }
--- a/provider/partition-gcp/src/main/java/org/opengroup/osdu/partition/provider/gcp/security/EntitlementsClientFactory.java
+++ b/provider/partition-gcp/src/main/java/org/opengroup/osdu/partition/provider/gcp/security/EntitlementsClientFactory.java
-/*
-  Copyright 2002-2021 Google LLC
-  Copyright 2002-2021 EPAM Systems, Inc
-
-  Licensed under the Apache License, Version 2.0 (the "License");
-  you may not use this file except in compliance with the License.
-  You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-  Unless required by applicable law or agreed to in writing, software
-  distributed under the License is distributed on an "AS IS" BASIS,
-  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-  See the License for the specific language governing permissions and
-  limitations under the License.
- */
-
-package org.opengroup.osdu.partition.provider.gcp.security;
-
-import lombok.RequiredArgsConstructor;
-
-import javax.inject.Inject;
-
-import org.opengroup.osdu.core.common.entitlements.EntitlementsAPIConfig;
-import org.opengroup.osdu.core.common.entitlements.EntitlementsFactory;
-import org.opengroup.osdu.core.common.entitlements.IEntitlementsFactory;
-import org.opengroup.osdu.core.common.http.json.HttpResponseBodyMapper;
-import org.opengroup.osdu.partition.provider.gcp.config.PropertiesConfiguration;
-import org.springframework.beans.factory.config.AbstractFactoryBean;
-import org.springframework.stereotype.Component;
-
-@Component
-@RequiredArgsConstructor
-public class EntitlementsClientFactory extends AbstractFactoryBean<IEntitlementsFactory> {
-
-  private final PropertiesConfiguration properties;
-
-  @Inject
-	private HttpResponseBodyMapper httpResponseBodyMapper;
-
-  @Override
-  protected IEntitlementsFactory createInstance() throws Exception {
-
-    return new EntitlementsFactory(EntitlementsAPIConfig
-        .builder()
-        .rootUrl(properties.getAuthorizeApi())
-        .build(),
-        httpResponseBodyMapper);
-  }
-
-  @Override
-  public Class<?> getObjectType() {
-    return IEntitlementsFactory.class;
-  }
-}
--- a/provider/partition-gcp/src/main/resources/application.properties
+++ b/provider/partition-gcp/src/main/resources/application.properties
@@ -17,6 +17,8 @@ kms-key=searchService
 KEY_RING=${key-ring}
 KMS_KEY=${kms-key}
 GOOGLE_CLOUD_PROJECT=${google-cloud-project}
+google-audiences=123.apps.googleusercontent.com
+partition-admin-account=admin@domen.iam.gserviceaccount.com

 #logging configuration
 logging.level.org.springframework.web=${LOG_LEVEL:DEBUG}