adding security config to other providers

47b37c56 · Aman Verma · 5787d9ea · 47b37c56 · 47b37c56 · 47b37c56
Commit 47b37c56 authored Sep 01, 2021 by Aman Verma
--- a/provider/schema-aws/src/main/java/org/opengroup/osdu/schema/provider/aws/security/AuthorizationServiceForServicePrincipalImpl.java
+++ b/provider/schema-aws/src/main/java/org/opengroup/osdu/schema/provider/aws/security/AuthorizationServiceForServicePrincipalImpl.java
+package org.opengroup.osdu.schema.provider.aws.security;
+
+import org.opengroup.osdu.core.aws.entitlements.Authorizer;
+import org.opengroup.osdu.core.aws.entitlements.RequestKeys;
+import org.opengroup.osdu.core.aws.ssm.SSMUtil;
+import org.opengroup.osdu.core.common.model.http.AppException;
+import org.opengroup.osdu.core.common.model.http.DpsHeaders;
+import org.opengroup.osdu.schema.provider.interfaces.authorization.IAuthorizationServiceForServicePrincipal;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.http.HttpStatus;
+import org.springframework.stereotype.Component;
+
+import javax.annotation.PostConstruct;
+import java.util.Map;
+
+@Component
+public class AuthorizationServiceForServicePrincipalImpl implements IAuthorizationServiceForServicePrincipal {
+    @Autowired
+    private DpsHeaders headers;
+
+
+    @Value("${aws.dynamodb.region}")
+    private String awsRegion;
+
+    @Value("${aws.environment}")
+    private String awsEnvironment;
+
+    Authorizer authorizer;
+    String memberEmail=null;
+    SSMUtil ssmUtil = null;
+    String spu_email=null;
+
+    @PostConstruct
+    public void init() {
+        authorizer = new Authorizer(awsRegion, awsEnvironment);
+        if (ssmUtil == null) {
+            ssmUtil = new SSMUtil("/osdu/" + awsEnvironment + "/");
+        }
+        //get sp email
+        spu_email = ssmUtil.getSsmParameterAsString("service-principal-user");
+
+    }
+
+    @Override
+    public boolean isDomainAdminServiceAccount() {
+
+        try {
+            Map<String, String> dpsheaders =   headers.getHeaders();
+            String authorizationContents = dpsheaders.get(RequestKeys.AUTHORIZATION_HEADER_KEY);
+            if(authorizationContents == null){
+                authorizationContents = dpsheaders.get(RequestKeys.AUTHORIZATION_HEADER_KEY.toLowerCase());
+            }
+            //no JWT
+            if(authorizationContents == null)
+            {
+                throw  AppException.createUnauthorized("No JWT token. Access is Forbidden");
+            }
+
+
+            memberEmail = authorizer.validateJWT(authorizationContents);
+            if(memberEmail != null)
+            {
+                if(memberEmail.equals(spu_email)){
+                    return true;
+                }
+                else{
+                    throw  AppException.createUnauthorized("Unauthorized. The user is not Service Principal");
+                }
+            }
+            if(memberEmail == null){
+                throw  AppException.createUnauthorized("Unauthorized. The JWT token could not be validated");
+            }
+
+        }
+        catch (AppException appE) {
+            throw appE;
+        }
+        catch (Exception e) {
+            throw new AppException(HttpStatus.INTERNAL_SERVER_ERROR.value(), "Authentication Failure", e.getMessage(), e);
+        }
+        return false;
+    }
+}
--- a/provider/schema-gcp/src/main/java/org/opengroup/osdu/schema/configuration/PropertiesConfiguration.java
+++ b/provider/schema-gcp/src/main/java/org/opengroup/osdu/schema/configuration/PropertiesConfiguration.java
+package org.opengroup.osdu.schema.configuration;
+
+import lombok.Getter;
+import lombok.Setter;
+import org.springframework.boot.context.properties.ConfigurationProperties;
+import org.springframework.context.annotation.Configuration;
+
+import javax.annotation.PostConstruct;
+import java.util.List;
+import java.util.Objects;
+
+@Configuration
+@ConfigurationProperties
+@Getter
+@Setter
+public class PropertiesConfiguration {
+    private String googleAudiences;
+
+    private List<String> partitionAdminAccounts;
+
+    private String googleCloudProject;
+
+    private int cacheExpiration;
+
+    private int cacheMaxSize;
+
+    private String serviceAccountTail;
+
+    @PostConstruct
+    public void setUp() {
+        if (Objects.isNull(serviceAccountTail) || serviceAccountTail.isEmpty()) {
+            this.serviceAccountTail = googleCloudProject + ".iam.gserviceaccount.com";
+        }
+    }
+}
--- a/provider/schema-gcp/src/main/java/org/opengroup/osdu/schema/security/AuthorizationServiceForServicePrincipalImpl.java
+++ b/provider/schema-gcp/src/main/java/org/opengroup/osdu/schema/security/AuthorizationServiceForServicePrincipalImpl.java
+package org.opengroup.osdu.schema.security;
+
+import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
+import com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier;
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+import org.apache.commons.lang3.StringUtils;
+import org.opengroup.osdu.core.common.model.http.AppException;
+import org.opengroup.osdu.core.common.model.http.DpsHeaders;
+import org.opengroup.osdu.schema.configuration.PropertiesConfiguration;
+import org.opengroup.osdu.schema.provider.interfaces.authorization.IAuthorizationServiceForServicePrincipal;
+import org.springframework.stereotype.Component;
+import org.springframework.web.context.annotation.RequestScope;
+
+import java.util.List;
+import java.util.Objects;
+
+@Slf4j
+@Component
+@RequestScope
+@RequiredArgsConstructor
+public class AuthorizationServiceForServicePrincipalImpl implements IAuthorizationServiceForServicePrincipal {
+    private final PropertiesConfiguration configuration;
+
+    private final DpsHeaders headers;
+
+    private final GoogleIdTokenVerifier verifier;
+
+    @Override
+    public boolean isDomainAdminServiceAccount() {
+        if (Objects.isNull(headers.getAuthorization()) || headers.getAuthorization().isEmpty()) {
+            throw AppException.createUnauthorized("No JWT token. Access is Forbidden");
+        }
+        String email = null;
+        try {
+            String authorization = headers.getAuthorization().replace("Bearer ", "");
+            GoogleIdToken googleIdToken = verifier.verify(authorization);
+            if (Objects.isNull(googleIdToken)) {
+                log.warn("Not valid token provided");
+                throw AppException.createUnauthorized("Unauthorized. The JWT token could not be validated");
+            }
+            email = googleIdToken.getPayload().getEmail();
+            List<String> partitionAdminAccounts = configuration.getPartitionAdminAccounts();
+            if (Objects.nonNull(partitionAdminAccounts) && !partitionAdminAccounts.isEmpty()) {
+                return isAllowedAccount(email);
+            } else {
+                if (StringUtils.endsWith(email, configuration.getServiceAccountTail())) {
+                    return true;
+                } else {
+                    throw AppException.createUnauthorized(
+                            String.format("Unauthorized. The user %s is not Service Principal", email));
+                }
+            }
+        } catch (AppException e){
+            throw e;
+        } catch (Exception ex) {
+            log.warn(String.format("User %s is not unauthorized. %s.", email, ex));
+            throw AppException.createUnauthorized("Unauthorized. The JWT token could not be validated");
+        }
+    }
+
+    private boolean isAllowedAccount(String accountEmail) {
+        if (StringUtils.endsWith(accountEmail, configuration.getServiceAccountTail())) {
+            for (String partitionAdmin : configuration.getPartitionAdminAccounts()) {
+                if (partitionAdmin.equals(accountEmail)) {
+                    return true;
+                }
+                if (StringUtils.startsWith(accountEmail, partitionAdmin)) {
+                    return true;
+                }
+            }
+        }
+        throw AppException
+                .createUnauthorized(String.format("Unauthorized. The user %s is untrusted.", accountEmail));
+    }
+}
--- a/provider/schema-ibm/pom.xml
+++ b/provider/schema-ibm/pom.xml
@@ -13,6 +13,7 @@
 	<properties>
 		<start-class>org.opengroup.osdu.schema.provider.ibm.app.SchemaIBMApplication</start-class>
 		<os-core-lib-ibm.version>0.9.0</os-core-lib-ibm.version>
+		<version.keycloak>9.0.2</version.keycloak>
 	</properties>
 	

@@ -56,6 +57,13 @@
 			<version>5.4.0</version>
 			<scope>test</scope>
 		</dependency>
+
+		<!-- Keycloak  -->
+		<dependency>
+			<groupId>org.keycloak</groupId>
+			<artifactId>keycloak-spring-boot-starter</artifactId>
+			<version>${version.keycloak}</version>
+		</dependency>
 	</dependencies>

 	<build>

--- a/provider/schema-ibm/src/main/java/org/opengroup/osdu/schema/provider/ibm/security/AuthorizationServiceForServicePrincipalImpl.java
+++ b/provider/schema-ibm/src/main/java/org/opengroup/osdu/schema/provider/ibm/security/AuthorizationServiceForServicePrincipalImpl.java
+package org.opengroup.osdu.schema.provider.ibm.security;
+
+import lombok.extern.slf4j.Slf4j;
+import org.keycloak.KeycloakPrincipal;
+import org.keycloak.KeycloakSecurityContext;
+import org.opengroup.osdu.core.common.model.http.AppException;
+import org.opengroup.osdu.schema.provider.interfaces.authorization.IAuthorizationServiceForServicePrincipal;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.http.HttpStatus;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.stereotype.Component;
+import org.springframework.web.context.annotation.RequestScope;
+
+@Component
+@RequestScope
+@Slf4j
+public class AuthorizationServiceForServicePrincipalImpl implements IAuthorizationServiceForServicePrincipal {
+    @Value("${service.partition.admin.user}")
+    String partitionAdminUser;
+
+
+    @Override
+    public boolean isDomainAdminServiceAccount() {
+        try {
+            final Authentication auth = SecurityContextHolder.getContext().getAuthentication();
+            @SuppressWarnings("unchecked")
+            KeycloakPrincipal<KeycloakSecurityContext> principal = (KeycloakPrincipal<KeycloakSecurityContext>) auth.getPrincipal();
+            String upn =  principal.getName();
+            log.info("email : "+upn);
+            if(upn.equals(partitionAdminUser)) {
+                return true;
+            }
+            else {
+                throw AppException.createUnauthorized("Unauthorized. The user is not Service Principal");
+            }
+
+        }
+        catch (AppException e) {
+            throw e;
+        }
+        catch (Exception e) {
+            throw new AppException(HttpStatus.INTERNAL_SERVER_ERROR.value(), "Authentication Failure", e.getMessage(), e);
+        }
+
+    }
+}