Commit 47b37c56 authored by Aman Verma's avatar Aman Verma
Browse files

adding security config to other providers

parent 5787d9ea
package org.opengroup.osdu.schema.provider.aws.security;
import org.opengroup.osdu.core.aws.entitlements.Authorizer;
import org.opengroup.osdu.core.aws.entitlements.RequestKeys;
import org.opengroup.osdu.core.aws.ssm.SSMUtil;
import org.opengroup.osdu.core.common.model.http.AppException;
import org.opengroup.osdu.core.common.model.http.DpsHeaders;
import org.opengroup.osdu.schema.provider.interfaces.authorization.IAuthorizationServiceForServicePrincipal;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.http.HttpStatus;
import org.springframework.stereotype.Component;
import javax.annotation.PostConstruct;
import java.util.Map;
@Component
public class AuthorizationServiceForServicePrincipalImpl implements IAuthorizationServiceForServicePrincipal {
@Autowired
private DpsHeaders headers;
@Value("${aws.dynamodb.region}")
private String awsRegion;
@Value("${aws.environment}")
private String awsEnvironment;
Authorizer authorizer;
String memberEmail=null;
SSMUtil ssmUtil = null;
String spu_email=null;
@PostConstruct
public void init() {
authorizer = new Authorizer(awsRegion, awsEnvironment);
if (ssmUtil == null) {
ssmUtil = new SSMUtil("/osdu/" + awsEnvironment + "/");
}
//get sp email
spu_email = ssmUtil.getSsmParameterAsString("service-principal-user");
}
@Override
public boolean isDomainAdminServiceAccount() {
try {
Map<String, String> dpsheaders = headers.getHeaders();
String authorizationContents = dpsheaders.get(RequestKeys.AUTHORIZATION_HEADER_KEY);
if(authorizationContents == null){
authorizationContents = dpsheaders.get(RequestKeys.AUTHORIZATION_HEADER_KEY.toLowerCase());
}
//no JWT
if(authorizationContents == null)
{
throw AppException.createUnauthorized("No JWT token. Access is Forbidden");
}
memberEmail = authorizer.validateJWT(authorizationContents);
if(memberEmail != null)
{
if(memberEmail.equals(spu_email)){
return true;
}
else{
throw AppException.createUnauthorized("Unauthorized. The user is not Service Principal");
}
}
if(memberEmail == null){
throw AppException.createUnauthorized("Unauthorized. The JWT token could not be validated");
}
}
catch (AppException appE) {
throw appE;
}
catch (Exception e) {
throw new AppException(HttpStatus.INTERNAL_SERVER_ERROR.value(), "Authentication Failure", e.getMessage(), e);
}
return false;
}
}
package org.opengroup.osdu.schema.configuration;
import lombok.Getter;
import lombok.Setter;
import org.springframework.boot.context.properties.ConfigurationProperties;
import org.springframework.context.annotation.Configuration;
import javax.annotation.PostConstruct;
import java.util.List;
import java.util.Objects;
@Configuration
@ConfigurationProperties
@Getter
@Setter
public class PropertiesConfiguration {
private String googleAudiences;
private List<String> partitionAdminAccounts;
private String googleCloudProject;
private int cacheExpiration;
private int cacheMaxSize;
private String serviceAccountTail;
@PostConstruct
public void setUp() {
if (Objects.isNull(serviceAccountTail) || serviceAccountTail.isEmpty()) {
this.serviceAccountTail = googleCloudProject + ".iam.gserviceaccount.com";
}
}
}
package org.opengroup.osdu.schema.security;
import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
import com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier;
import lombok.RequiredArgsConstructor;
import lombok.extern.slf4j.Slf4j;
import org.apache.commons.lang3.StringUtils;
import org.opengroup.osdu.core.common.model.http.AppException;
import org.opengroup.osdu.core.common.model.http.DpsHeaders;
import org.opengroup.osdu.schema.configuration.PropertiesConfiguration;
import org.opengroup.osdu.schema.provider.interfaces.authorization.IAuthorizationServiceForServicePrincipal;
import org.springframework.stereotype.Component;
import org.springframework.web.context.annotation.RequestScope;
import java.util.List;
import java.util.Objects;
@Slf4j
@Component
@RequestScope
@RequiredArgsConstructor
public class AuthorizationServiceForServicePrincipalImpl implements IAuthorizationServiceForServicePrincipal {
private final PropertiesConfiguration configuration;
private final DpsHeaders headers;
private final GoogleIdTokenVerifier verifier;
@Override
public boolean isDomainAdminServiceAccount() {
if (Objects.isNull(headers.getAuthorization()) || headers.getAuthorization().isEmpty()) {
throw AppException.createUnauthorized("No JWT token. Access is Forbidden");
}
String email = null;
try {
String authorization = headers.getAuthorization().replace("Bearer ", "");
GoogleIdToken googleIdToken = verifier.verify(authorization);
if (Objects.isNull(googleIdToken)) {
log.warn("Not valid token provided");
throw AppException.createUnauthorized("Unauthorized. The JWT token could not be validated");
}
email = googleIdToken.getPayload().getEmail();
List<String> partitionAdminAccounts = configuration.getPartitionAdminAccounts();
if (Objects.nonNull(partitionAdminAccounts) && !partitionAdminAccounts.isEmpty()) {
return isAllowedAccount(email);
} else {
if (StringUtils.endsWith(email, configuration.getServiceAccountTail())) {
return true;
} else {
throw AppException.createUnauthorized(
String.format("Unauthorized. The user %s is not Service Principal", email));
}
}
} catch (AppException e){
throw e;
} catch (Exception ex) {
log.warn(String.format("User %s is not unauthorized. %s.", email, ex));
throw AppException.createUnauthorized("Unauthorized. The JWT token could not be validated");
}
}
private boolean isAllowedAccount(String accountEmail) {
if (StringUtils.endsWith(accountEmail, configuration.getServiceAccountTail())) {
for (String partitionAdmin : configuration.getPartitionAdminAccounts()) {
if (partitionAdmin.equals(accountEmail)) {
return true;
}
if (StringUtils.startsWith(accountEmail, partitionAdmin)) {
return true;
}
}
}
throw AppException
.createUnauthorized(String.format("Unauthorized. The user %s is untrusted.", accountEmail));
}
}
......@@ -13,6 +13,7 @@
<properties>
<start-class>org.opengroup.osdu.schema.provider.ibm.app.SchemaIBMApplication</start-class>
<os-core-lib-ibm.version>0.9.0</os-core-lib-ibm.version>
<version.keycloak>9.0.2</version.keycloak>
</properties>
......@@ -56,6 +57,13 @@
<version>5.4.0</version>
<scope>test</scope>
</dependency>
<!-- Keycloak -->
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-spring-boot-starter</artifactId>
<version>${version.keycloak}</version>
</dependency>
</dependencies>
<build>
......
package org.opengroup.osdu.schema.provider.ibm.security;
import lombok.extern.slf4j.Slf4j;
import org.keycloak.KeycloakPrincipal;
import org.keycloak.KeycloakSecurityContext;
import org.opengroup.osdu.core.common.model.http.AppException;
import org.opengroup.osdu.schema.provider.interfaces.authorization.IAuthorizationServiceForServicePrincipal;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.http.HttpStatus;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Component;
import org.springframework.web.context.annotation.RequestScope;
@Component
@RequestScope
@Slf4j
public class AuthorizationServiceForServicePrincipalImpl implements IAuthorizationServiceForServicePrincipal {
@Value("${service.partition.admin.user}")
String partitionAdminUser;
@Override
public boolean isDomainAdminServiceAccount() {
try {
final Authentication auth = SecurityContextHolder.getContext().getAuthentication();
@SuppressWarnings("unchecked")
KeycloakPrincipal<KeycloakSecurityContext> principal = (KeycloakPrincipal<KeycloakSecurityContext>) auth.getPrincipal();
String upn = principal.getName();
log.info("email : "+upn);
if(upn.equals(partitionAdminUser)) {
return true;
}
else {
throw AppException.createUnauthorized("Unauthorized. The user is not Service Principal");
}
}
catch (AppException e) {
throw e;
}
catch (Exception e) {
throw new AppException(HttpStatus.INTERNAL_SERVER_ERROR.value(), "Authentication Failure", e.getMessage(), e);
}
}
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment