You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@dlab.apache.org by bh...@apache.org on 2019/07/30 09:18:53 UTC
[incubator-dlab] 01/02: DLAB-728 replaced security service with
keycloak integration
This is an automated email from the ASF dual-hosted git repository.
bhliva pushed a commit to branch dlab_refactored
in repository https://gitbox.apache.org/repos/asf/incubator-dlab.git
commit dfba3db01422c157110eb2795c13c5d8e4cbc787
Author: bhliva <bo...@epam.com>
AuthorDate: Thu May 30 16:51:34 2019 +0300
DLAB-728 replaced security service with keycloak integration
---
pom.xml | 4 -
.../java/com/epam/dlab/auth/SecurityFactory.java | 54 -----
.../epam/dlab/auth/SecurityRestAuthenticator.java | 54 -----
services/security-aws/pom.xml | 58 ------
.../com/epam/dlab/auth/aws/dao/AwsUserDAO.java | 35 ----
.../com/epam/dlab/auth/aws/dao/AwsUserDAOImpl.java | 79 -------
.../aws/service/AwsCredentialRefreshService.java | 68 ------
.../aws/service/AwsUserVerificationService.java | 82 --------
services/security-azure/pom.xml | 78 -------
.../dlab/auth/azure/AuthorizationCodeSupplier.java | 44 ----
.../dlab/auth/azure/AuthorizationSupplier.java | 36 ----
.../auth/azure/AzureAuthenticationResource.java | 194 -----------------
.../dlab/auth/azure/AzureLocalAuthResponse.java | 42 ----
.../epam/dlab/auth/azure/AzureLoginUrlBuilder.java | 75 -------
.../dlab/auth/azure/AzureSecurityResource.java | 116 -----------
.../com/epam/dlab/auth/azure/RoleAssignment.java | 37 ----
.../dlab/auth/azure/RoleAssignmentProperties.java | 43 ----
.../dlab/auth/azure/RoleAssignmentResponse.java | 35 ----
.../dlab/auth/azure/UsernamePasswordSupplier.java | 43 ----
.../service/AzureAuthorizationCodeService.java | 46 ----
.../service/AzureAuthorizationCodeServiceImpl.java | 231 ---------------------
services/security-gcp/pom.xml | 66 ------
.../gcp/resources/GcpOauth2SecurityResource.java | 56 -----
.../auth/gcp/service/GcpAuthenticationService.java | 110 ----------
services/security-service/pom.xml | 183 ----------------
services/security-service/security.yml | 150 -------------
.../epam/dlab/auth/SecurityServiceApplication.java | 65 ------
.../dlab/auth/SecurityServiceConfiguration.java | 146 -------------
.../epam/dlab/auth/core/DlabLdapConnection.java | 42 ----
.../dlab/auth/core/DlabLdapConnectionFactory.java | 49 -----
.../epam/dlab/auth/core/ReturnableConnection.java | 67 ------
.../com/epam/dlab/auth/core/SimpleConnection.java | 47 -----
.../java/com/epam/dlab/auth/dao/LdapUserDAO.java | 30 ---
.../com/epam/dlab/auth/dao/LdapUserDAOImpl.java | 165 ---------------
.../main/java/com/epam/dlab/auth/dao/Request.java | 35 ----
.../epam/dlab/auth/dao/UserInfoDAODumbImpl.java | 54 -----
.../epam/dlab/auth/dao/UserInfoDAOMongoImpl.java | 132 ------------
.../auth/modules/AwsSecurityServiceModule.java | 92 --------
.../auth/modules/AzureSecurityServiceModule.java | 78 -------
.../auth/modules/GcpSecurityServiceModule.java | 94 ---------
.../com/epam/dlab/auth/modules/ModuleFactory.java | 43 ----
.../dlab/auth/modules/SecurityServiceModule.java | 66 ------
.../SynchronousLdapAuthenticationResource.java | 80 -------
.../dlab/auth/service/AuthenticationService.java | 34 ---
.../service/impl/LdapAuthenticationService.java | 89 --------
.../security-service/src/main/resources/banner.txt | 6 -
.../impl/LdapAuthenticationServiceTest.java | 139 -------------
services/self-service/pom.xml | 6 +
.../DropwizardBearerTokenFilterImpl.java | 20 ++
.../dlab/backendapi/SelfServiceApplication.java | 50 +++++
.../SelfServiceApplicationConfiguration.java | 14 ++
.../auth/SelfServiceSecurityAuthenticator.java | 55 -----
.../backendapi/modules/AwsSelfServiceModule.java | 7 +-
.../backendapi/modules/AzureSelfServiceModule.java | 18 --
.../epam/dlab/backendapi/modules/DevModule.java | 4 +-
.../backendapi/modules/GcpSelfServiceModule.java | 9 +-
.../backendapi/resources/SecurityResource.java | 4 +-
.../servlet/guacamole/GuacamoleSecurityFilter.java | 18 +-
.../backendapi/resources/SecurityResourceTest.java | 2 +-
59 files changed, 104 insertions(+), 3675 deletions(-)
diff --git a/pom.xml b/pom.xml
index 378593f..1925e09 100644
--- a/pom.xml
+++ b/pom.xml
@@ -52,10 +52,6 @@
<module>services/self-service</module>
<module>services/billing-azure</module>
<module>services/billing-gcp</module>
- <module>services/security-azure</module>
- <module>services/security-gcp</module>
- <module>services/security-aws</module>
- <module>services/security-service</module>
<module>services/dlab-model</module>
<module>services/dlab-utils</module>
<module>services/dlab-webapp-common</module>
diff --git a/services/dlab-webapp-common/src/main/java/com/epam/dlab/auth/SecurityFactory.java b/services/dlab-webapp-common/src/main/java/com/epam/dlab/auth/SecurityFactory.java
deleted file mode 100644
index 67fe166..0000000
--- a/services/dlab-webapp-common/src/main/java/com/epam/dlab/auth/SecurityFactory.java
+++ /dev/null
@@ -1,54 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package com.epam.dlab.auth;
-
-import com.google.inject.Injector;
-import io.dropwizard.auth.AuthDynamicFeature;
-import io.dropwizard.auth.AuthValueFactoryProvider;
-import io.dropwizard.auth.Authorizer;
-import io.dropwizard.auth.oauth.OAuthCredentialAuthFilter;
-import io.dropwizard.setup.Environment;
-import org.glassfish.jersey.server.filter.RolesAllowedDynamicFeature;
-
-public class SecurityFactory {
- private static final String PREFIX = "Bearer";
-
- public void configure(Injector injector, Environment environment) {
-
- configure(injector, environment, SecurityRestAuthenticator.class,
- injector.getInstance(SecurityAuthorizer.class));
- }
-
- public <T extends SecurityRestAuthenticator> void configure(Injector injector, Environment environment,
- Class<T> authenticator,
- Authorizer<UserInfo> authorizer) {
-
- environment.jersey().register(new AuthDynamicFeature(
- new OAuthCredentialAuthFilter.Builder<UserInfo>()
- .setAuthenticator(injector.getInstance(authenticator))
- .setAuthorizer(authorizer)
- .setPrefix(PREFIX)
- .setUnauthorizedHandler(injector.getInstance(SecurityUnauthorizedHandler.class))
- .buildAuthFilter()));
-
- environment.jersey().register(RolesAllowedDynamicFeature.class);
- environment.jersey().register(new AuthValueFactoryProvider.Binder<>(UserInfo.class));
- }
-}
diff --git a/services/dlab-webapp-common/src/main/java/com/epam/dlab/auth/SecurityRestAuthenticator.java b/services/dlab-webapp-common/src/main/java/com/epam/dlab/auth/SecurityRestAuthenticator.java
deleted file mode 100644
index 9ff1339..0000000
--- a/services/dlab-webapp-common/src/main/java/com/epam/dlab/auth/SecurityRestAuthenticator.java
+++ /dev/null
@@ -1,54 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package com.epam.dlab.auth;
-
-import com.epam.dlab.auth.contract.SecurityAPI;
-import com.epam.dlab.constants.ServiceConsts;
-import com.epam.dlab.rest.client.RESTService;
-import com.google.inject.Inject;
-import com.google.inject.name.Named;
-import io.dropwizard.auth.AuthenticationException;
-import io.dropwizard.auth.Authenticator;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.slf4j.MDC;
-
-import java.util.Optional;
-
-public class SecurityRestAuthenticator implements Authenticator<String, UserInfo> {
- private static final Logger LOGGER = LoggerFactory.getLogger(SecurityRestAuthenticator.class);
-
- @Inject
- @Named(ServiceConsts.SECURITY_SERVICE_NAME)
- private RESTService securityService;
-
- @Inject
- private SystemUserInfoService systemUserInfoService;
-
- @Override
- public Optional<UserInfo> authenticate(String credentials) throws AuthenticationException {
- LOGGER.debug("authenticate token {}", credentials);
-
- final Optional<UserInfo> userInfo = Optional.ofNullable(systemUserInfoService.getUser(credentials).orElseGet(
- () -> securityService.post(SecurityAPI.GET_USER_INFO, credentials, UserInfo.class)));
- userInfo.ifPresent(ui -> MDC.put("user", ui.getName()));
- return userInfo;
- }
-}
diff --git a/services/security-aws/pom.xml b/services/security-aws/pom.xml
deleted file mode 100644
index 105d798..0000000
--- a/services/security-aws/pom.xml
+++ /dev/null
@@ -1,58 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
- ~ Licensed to the Apache Software Foundation (ASF) under one
- ~ or more contributor license agreements. See the NOTICE file
- ~ distributed with this work for additional information
- ~ regarding copyright ownership. The ASF licenses this file
- ~ to you under the Apache License, Version 2.0 (the
- ~ "License"); you may not use this file except in compliance
- ~ with the License. You may obtain a copy of the License at
- ~
- ~ http://www.apache.org/licenses/LICENSE-2.0
- ~
- ~ Unless required by applicable law or agreed to in writing,
- ~ software distributed under the License is distributed on an
- ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- ~ KIND, either express or implied. See the License for the
- ~ specific language governing permissions and limitations
- ~ under the License.
- -->
-
-<project xmlns="http://maven.apache.org/POM/4.0.0"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
- <parent>
- <artifactId>dlab</artifactId>
- <groupId>com.epam.dlab</groupId>
- <version>1.0</version>
- <relativePath>../../pom.xml</relativePath>
- </parent>
- <modelVersion>4.0.0</modelVersion>
-
- <artifactId>security-aws</artifactId>
-
-
- <properties>
- <aws-java-sdk-iam.version>1.11.48</aws-java-sdk-iam.version>
- </properties>
-
- <dependencies>
- <dependency>
- <groupId>com.epam.dlab</groupId>
- <artifactId>common</artifactId>
- </dependency>
- <dependency>
- <groupId>com.amazonaws</groupId>
- <artifactId>aws-java-sdk-iam</artifactId>
- <version>${aws-java-sdk-iam.version}</version>
- </dependency>
- <dependency>
- <groupId>com.epam.dlab</groupId>
- <artifactId>dlab-webapp-common</artifactId>
- <version>${project.parent.version}</version>
- <scope>provided</scope>
- </dependency>
- </dependencies>
-
-
-</project>
\ No newline at end of file
diff --git a/services/security-aws/src/main/java/com/epam/dlab/auth/aws/dao/AwsUserDAO.java b/services/security-aws/src/main/java/com/epam/dlab/auth/aws/dao/AwsUserDAO.java
deleted file mode 100644
index 639513e..0000000
--- a/services/security-aws/src/main/java/com/epam/dlab/auth/aws/dao/AwsUserDAO.java
+++ /dev/null
@@ -1,35 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package com.epam.dlab.auth.aws.dao;
-
-import com.amazonaws.auth.AWSCredentials;
-import com.amazonaws.services.identitymanagement.model.AccessKeyMetadata;
-import com.amazonaws.services.identitymanagement.model.User;
-
-import java.util.List;
-
-public interface AwsUserDAO {
-
- User getAwsUser(String username);
-
- void updateCredentials(AWSCredentials credentials);
-
- List<AccessKeyMetadata> getAwsAccessKeys(String username);
-}
diff --git a/services/security-aws/src/main/java/com/epam/dlab/auth/aws/dao/AwsUserDAOImpl.java b/services/security-aws/src/main/java/com/epam/dlab/auth/aws/dao/AwsUserDAOImpl.java
deleted file mode 100644
index 4398ccc..0000000
--- a/services/security-aws/src/main/java/com/epam/dlab/auth/aws/dao/AwsUserDAOImpl.java
+++ /dev/null
@@ -1,79 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package com.epam.dlab.auth.aws.dao;
-
-import com.amazonaws.auth.AWSCredentials;
-import com.amazonaws.services.identitymanagement.AmazonIdentityManagement;
-import com.amazonaws.services.identitymanagement.AmazonIdentityManagementClient;
-import com.amazonaws.services.identitymanagement.model.*;
-import com.google.inject.Inject;
-import com.google.inject.Singleton;
-import lombok.extern.slf4j.Slf4j;
-
-import java.util.List;
-
-@Singleton
-@Slf4j
-public class AwsUserDAOImpl implements AwsUserDAO {
-
- private volatile AmazonIdentityManagement aim;
-
- @Inject
- public AwsUserDAOImpl(AWSCredentials credentials) {
- this.aim = new AmazonIdentityManagementClient(credentials);
- }
-
- @Override
- public User getAwsUser(String username) {
- User u = fetchAwsUser(username);
- log.debug("Fetched AWS user {}", u);
- return u;
- }
-
- @Override
- public void updateCredentials(AWSCredentials credentials) {
- this.aim = new AmazonIdentityManagementClient(credentials);
- }
-
- @Override
- public List<AccessKeyMetadata> getAwsAccessKeys(String username) {
- List<AccessKeyMetadata> data = null;
- try {
- ListAccessKeysRequest request = new ListAccessKeysRequest().withUserName(username);
- ListAccessKeysResult result = aim.listAccessKeys(request);
- data = result.getAccessKeyMetadata();
- } catch (Exception e) {
- log.error("AccessKeyMetadata for {} request failed: {}", username, e.getMessage());
- }
- return data;
- }
-
- private User fetchAwsUser(String username) {
- User user = null;
- try {
- GetUserRequest r = new GetUserRequest().withUserName(username);
- GetUserResult ur = aim.getUser(r);
- user = ur.getUser();
- } catch (NoSuchEntityException e) {
- log.error("User {} not found: {}", username, e.getMessage());
- }
- return user;
- }
-}
diff --git a/services/security-aws/src/main/java/com/epam/dlab/auth/aws/service/AwsCredentialRefreshService.java b/services/security-aws/src/main/java/com/epam/dlab/auth/aws/service/AwsCredentialRefreshService.java
deleted file mode 100644
index 54bc300..0000000
--- a/services/security-aws/src/main/java/com/epam/dlab/auth/aws/service/AwsCredentialRefreshService.java
+++ /dev/null
@@ -1,68 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package com.epam.dlab.auth.aws.service;
-
-import com.amazonaws.auth.AWSCredentialsProvider;
-import com.epam.dlab.auth.aws.dao.AwsUserDAO;
-import com.google.inject.Inject;
-import com.google.inject.Singleton;
-import io.dropwizard.lifecycle.Managed;
-import lombok.extern.slf4j.Slf4j;
-
-import java.util.concurrent.Executors;
-import java.util.concurrent.ScheduledExecutorService;
-import java.util.concurrent.TimeUnit;
-
-@Singleton
-@Slf4j
-public class AwsCredentialRefreshService implements Managed {
-
- private final ScheduledExecutorService executor = Executors.newSingleThreadScheduledExecutor();
- private final AwsUserDAO awsUserDAO;
- private final AWSCredentialsProvider credentialsProvider;
-
- @Inject
- public AwsCredentialRefreshService(AwsUserDAO awsUserDAO, AWSCredentialsProvider credentialsProvider) {
- this.awsUserDAO = awsUserDAO;
- this.credentialsProvider = credentialsProvider;
- }
-
- @Override
- public void start() {
- executor.scheduleAtFixedRate(() -> refresh(credentialsProvider), 5, 5,
- TimeUnit.MINUTES);
- }
-
- @Override
- public void stop() {
- executor.shutdown();
- }
-
- private void refresh(AWSCredentialsProvider credentialsProvider) {
- try {
- credentialsProvider.refresh();
- this.awsUserDAO.updateCredentials(credentialsProvider.getCredentials());
- log.debug("provider credentials refreshed");
- } catch (Exception e) {
- log.error("AWS provider error", e);
- throw e;
- }
- }
-}
diff --git a/services/security-aws/src/main/java/com/epam/dlab/auth/aws/service/AwsUserVerificationService.java b/services/security-aws/src/main/java/com/epam/dlab/auth/aws/service/AwsUserVerificationService.java
deleted file mode 100644
index 27294ef..0000000
--- a/services/security-aws/src/main/java/com/epam/dlab/auth/aws/service/AwsUserVerificationService.java
+++ /dev/null
@@ -1,82 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package com.epam.dlab.auth.aws.service;
-
-import com.amazonaws.services.identitymanagement.model.AccessKeyMetadata;
-import com.amazonaws.services.identitymanagement.model.User;
-import com.epam.dlab.auth.UserInfo;
-import com.epam.dlab.auth.UserVerificationService;
-import com.epam.dlab.auth.aws.dao.AwsUserDAO;
-import com.epam.dlab.exceptions.DlabException;
-import com.google.inject.Inject;
-import com.google.inject.Singleton;
-
-import java.util.List;
-
-@Singleton
-public class AwsUserVerificationService implements UserVerificationService {
-
- private final AwsUserDAO awsUserDAO;
-
- @Inject
- public AwsUserVerificationService(AwsUserDAO awsUserDAO) {
- this.awsUserDAO = awsUserDAO;
- }
-
- @Override
- public void verify(UserInfo userInfo) {
- verifyAwsUser(userInfo);
- verifyAwsKeys(userInfo);
- }
-
-
- private User verifyAwsUser(UserInfo userInfo) {
- try {
- User awsUser = awsUserDAO.getAwsUser(userInfo.getName());
- if (awsUser != null) {
- userInfo.setAwsUser(true);
- return awsUser;
- } else {
- throw new DlabException("Please contact AWS administrator to create corresponding IAM User");
- }
- } catch (RuntimeException e) {
- throw new DlabException("Please contact AWS administrator to create corresponding IAM User", e);
- }
- }
-
- private List<AccessKeyMetadata> verifyAwsKeys(UserInfo userInfo) {
-
- userInfo.getKeys().clear();
-
- try {
- List<AccessKeyMetadata> keys = awsUserDAO.getAwsAccessKeys(userInfo.getName());
- if (keys == null || keys.isEmpty()
- || keys.stream().noneMatch(k -> "Active".equalsIgnoreCase(k.getStatus()))) {
-
- throw new DlabException("Cannot get aws access key for user " + userInfo.getName());
- }
- keys.forEach(e -> userInfo.addKey(e.getAccessKeyId(), e.getStatus()));
-
- return keys;
- } catch (RuntimeException e) {
- throw new DlabException("Please contact AWS administrator to activate your Access Key", e);
- }
- }
-}
diff --git a/services/security-azure/pom.xml b/services/security-azure/pom.xml
deleted file mode 100644
index d484b67..0000000
--- a/services/security-azure/pom.xml
+++ /dev/null
@@ -1,78 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
- ~ Licensed to the Apache Software Foundation (ASF) under one
- ~ or more contributor license agreements. See the NOTICE file
- ~ distributed with this work for additional information
- ~ regarding copyright ownership. The ASF licenses this file
- ~ to you under the Apache License, Version 2.0 (the
- ~ "License"); you may not use this file except in compliance
- ~ with the License. You may obtain a copy of the License at
- ~
- ~ http://www.apache.org/licenses/LICENSE-2.0
- ~
- ~ Unless required by applicable law or agreed to in writing,
- ~ software distributed under the License is distributed on an
- ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- ~ KIND, either express or implied. See the License for the
- ~ specific language governing permissions and limitations
- ~ under the License.
- -->
-
-<project xmlns="http://maven.apache.org/POM/4.0.0"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
- <parent>
- <artifactId>dlab</artifactId>
- <groupId>com.epam.dlab</groupId>
- <version>1.0</version>
- <relativePath>../../pom.xml</relativePath>
- </parent>
- <modelVersion>4.0.0</modelVersion>
-
- <artifactId>security-azure</artifactId>
-
- <dependencies>
-
- <dependency>
- <groupId>com.epam.dlab</groupId>
- <artifactId>common</artifactId>
- <version>${project.parent.version}</version>
- </dependency>
-
- <dependency>
- <groupId>com.microsoft.azure</groupId>
- <artifactId>adal4j</artifactId>
- <version>1.3.0</version>
- </dependency>
-
- <dependency>
- <groupId>com.microsoft.azure</groupId>
- <artifactId>azure-client-authentication</artifactId>
- <version>1.2.0</version>
- </dependency>
-
- <dependency>
- <groupId>io.dropwizard</groupId>
- <artifactId>dropwizard-auth</artifactId>
- <version>${io.dropwizard.version}</version>
- </dependency>
- <dependency>
- <groupId>com.google.inject</groupId>
- <artifactId>guice</artifactId>
- </dependency>
- <dependency>
- <groupId>com.epam.dlab</groupId>
- <artifactId>dlab-webapp-common</artifactId>
- <version>${project.parent.version}</version>
- <scope>provided</scope>
- </dependency>
- <dependency>
- <groupId>com.epam.dlab</groupId>
- <artifactId>dlab-model</artifactId>
- <version>${project.parent.version}</version>
- </dependency>
-
- </dependencies>
-
-
-</project>
\ No newline at end of file
diff --git a/services/security-azure/src/main/java/com/epam/dlab/auth/azure/AuthorizationCodeSupplier.java b/services/security-azure/src/main/java/com/epam/dlab/auth/azure/AuthorizationCodeSupplier.java
deleted file mode 100644
index 4d4650c..0000000
--- a/services/security-azure/src/main/java/com/epam/dlab/auth/azure/AuthorizationCodeSupplier.java
+++ /dev/null
@@ -1,44 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package com.epam.dlab.auth.azure;
-
-import com.epam.dlab.auth.conf.AzureLoginConfiguration;
-import com.epam.dlab.dto.azure.auth.AuthorizationCodeFlowResponse;
-import com.microsoft.aad.adal4j.AuthenticationContext;
-import com.microsoft.aad.adal4j.AuthenticationResult;
-
-import java.net.URI;
-import java.util.concurrent.Future;
-
-class AuthorizationCodeSupplier extends AuthorizationSupplier {
- private final AuthorizationCodeFlowResponse response;
-
- AuthorizationCodeSupplier(AzureLoginConfiguration azureLoginConfiguration,
- AuthorizationCodeFlowResponse response) {
- super(azureLoginConfiguration);
- this.response = response;
- }
-
- public Future<AuthenticationResult> get(AuthenticationContext context, String resource) {
- return context
- .acquireTokenByAuthorizationCode(response.getCode(), resource, azureLoginConfiguration.getClientId(),
- URI.create(azureLoginConfiguration.getRedirectUrl()), null);
- }
-}
\ No newline at end of file
diff --git a/services/security-azure/src/main/java/com/epam/dlab/auth/azure/AuthorizationSupplier.java b/services/security-azure/src/main/java/com/epam/dlab/auth/azure/AuthorizationSupplier.java
deleted file mode 100644
index fef50a9..0000000
--- a/services/security-azure/src/main/java/com/epam/dlab/auth/azure/AuthorizationSupplier.java
+++ /dev/null
@@ -1,36 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package com.epam.dlab.auth.azure;
-
-import com.epam.dlab.auth.conf.AzureLoginConfiguration;
-import com.microsoft.aad.adal4j.AuthenticationContext;
-import com.microsoft.aad.adal4j.AuthenticationResult;
-
-import java.util.concurrent.Future;
-
-public abstract class AuthorizationSupplier {
- final AzureLoginConfiguration azureLoginConfiguration;
-
- AuthorizationSupplier(AzureLoginConfiguration azureLoginConfiguration) {
- this.azureLoginConfiguration = azureLoginConfiguration;
- }
-
- public abstract Future<AuthenticationResult> get(AuthenticationContext context, String resource);
-}
\ No newline at end of file
diff --git a/services/security-azure/src/main/java/com/epam/dlab/auth/azure/AzureAuthenticationResource.java b/services/security-azure/src/main/java/com/epam/dlab/auth/azure/AzureAuthenticationResource.java
deleted file mode 100644
index fca3ed0..0000000
--- a/services/security-azure/src/main/java/com/epam/dlab/auth/azure/AzureAuthenticationResource.java
+++ /dev/null
@@ -1,194 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package com.epam.dlab.auth.azure;
-
-import com.epam.dlab.auth.UserInfo;
-import com.epam.dlab.auth.UserInfoDAO;
-import com.epam.dlab.auth.azure.service.AzureAuthorizationCodeService;
-import com.epam.dlab.auth.conf.AzureLoginConfiguration;
-import com.epam.dlab.auth.contract.SecurityAPI;
-import com.epam.dlab.auth.dto.UserCredentialDTO;
-import com.epam.dlab.auth.rest.AbstractAuthenticationService;
-import com.epam.dlab.dto.azure.auth.AuthorizationCodeFlowResponse;
-import com.epam.dlab.rest.dto.ErrorDTO;
-import com.fasterxml.jackson.core.type.TypeReference;
-import com.fasterxml.jackson.databind.ObjectMapper;
-import com.google.inject.Inject;
-import com.microsoft.aad.adal4j.AuthenticationException;
-import io.dropwizard.Configuration;
-import org.apache.commons.lang3.StringUtils;
-
-import javax.servlet.http.HttpServletRequest;
-import javax.ws.rs.Consumes;
-import javax.ws.rs.POST;
-import javax.ws.rs.Path;
-import javax.ws.rs.Produces;
-import javax.ws.rs.core.Context;
-import javax.ws.rs.core.MediaType;
-import javax.ws.rs.core.Response;
-import java.io.IOException;
-import java.net.URI;
-import java.util.HashMap;
-import java.util.Map;
-import java.util.Optional;
-
-/**
- * Used to authenticate users against Azure Active Directory
- *
- * @param <C> holds application configuration info
- */
-@Path("/")
-@Consumes(MediaType.APPLICATION_JSON)
-@Produces(MediaType.APPLICATION_JSON)
-public class AzureAuthenticationResource<C extends Configuration> extends AbstractAuthenticationService<C> {
-
- private final UserInfoDAO userInfoDao;
- private final AzureLoginConfiguration azureLoginConfiguration;
- private final ObjectMapper objectMapper = new ObjectMapper();
- private final AzureAuthorizationCodeService authorizationCodeService;
-
- @Inject
- public AzureAuthenticationResource(C config, UserInfoDAO userInfoDao,
- AzureLoginConfiguration azureLoginConfiguration, AzureAuthorizationCodeService
- authorizationCodeService) {
- super(config);
- this.userInfoDao = userInfoDao;
- this.azureLoginConfiguration = azureLoginConfiguration;
- this.authorizationCodeService = authorizationCodeService;
- }
-
- /**
- * Authenticates user by given <code>credential</code>
- *
- * @param credential contains username and password
- * @param request http request
- * @return authentication result in {@link Response}
- */
- @Path(SecurityAPI.LOGIN)
- @POST
- public Response login(UserCredentialDTO credential, @Context HttpServletRequest request) {
-
- log.info("Basic authentication {}", credential);
-
- try {
- return Response.ok(authorizationCodeService.authenticateAndLogin(new UsernamePasswordSupplier
- (azureLoginConfiguration, credential))).build();
- } catch (AuthenticationException e) {
- log.error("Basic authentication failed", e);
- return handleUserCredentialsLogin(e);
- }
- }
-
- /**
- * Returns user info that is mapped with <code>accessToken</code>
- *
- * @param accessToken input access token
- * @param request http request
- * @return user info
- */
- @Override
- @Path(SecurityAPI.GET_USER_INFO)
- @POST
- public UserInfo getUserInfo(String accessToken, @Context HttpServletRequest request) {
- String remoteIp = request.getRemoteAddr();
-
- final Optional<UserInfo> ui = userInfoDao.getUserInfoByAccessToken(accessToken);
-
- if (ui.isPresent()) {
- userInfoDao.updateUserInfoTTL(accessToken, ui.get().withToken(accessToken));
- log.debug("restored UserInfo from DB {}", ui);
- }
-
- log.debug("Authorized {} {} {}", accessToken, ui, remoteIp);
- return ui.get().withToken(accessToken);
- }
-
- /**
- * Logs out user by input <code>accessToken</code>
- *
- * @param accessToken input access yoken
- * @return result of the operation
- */
- @Override
- @Path(SecurityAPI.LOGOUT)
- @POST
- public Response logout(String accessToken) {
- userInfoDao.deleteUserInfo(accessToken);
- log.info("Logged out user {}", accessToken);
- return Response.ok().build();
- }
-
- /**
- * Using OAuth2 authorization code grant approach authenticates user by given authorization code in
- * <code>response</code>
- *
- * @param response contains username and passwrd
- * @return authentication result in {@link Response}
- */
- @Path(SecurityAPI.LOGIN_OAUTH)
- @POST
- public Response authenticateOAuth(AuthorizationCodeFlowResponse response) {
-
- log.info("Try to login using authorization code {}", response);
-
- try {
- return Response.ok(authorizationCodeService.authenticateAndLogin(new AuthorizationCodeSupplier
- (azureLoginConfiguration, response))).build();
- } catch (AuthenticationException e) {
- log.error("OAuth authentication failed", e);
- final Response.Status unauthorized = Response.Status.UNAUTHORIZED;
- return Response.status(unauthorized)
- .entity(new ErrorDTO(unauthorized.getStatusCode(), "Username or password is invalid")).build();
- }
- }
-
- private Response handleUserCredentialsLogin(AuthenticationException e) {
- String message = e.getMessage();
-
- log.info("Try to handle exception with message {}", message);
-
- String invalidGrantError = "invalid_grant";
- String errorCode = "AADSTS65001";
- String errorDescriptionKey = "error_description";
-
- if (StringUtils.isNotEmpty(message)) {
- try {
- Map<String, String> errors = objectMapper
- .readValue(message,
- new TypeReference<HashMap<String, String>>() {
- });
- if (errors != null
- && invalidGrantError.equalsIgnoreCase(errors.get("error"))
- && StringUtils.isNotEmpty(errors.get(errorDescriptionKey))
- && errors.get(errorDescriptionKey).startsWith(errorCode)) {
-
- return Response.status(Response.Status.FORBIDDEN)
- .header("Location", URI.create(azureLoginConfiguration.getRedirectUrl()
- + "api" + SecurityAPI.INIT_LOGIN_OAUTH_AZURE)).build();
- }
- } catch (IOException ioException) {
- log.warn("Cannot handle authentication exception", ioException);
- }
- }
- final Response.Status unauthorized = Response.Status.UNAUTHORIZED;
- return Response.status(unauthorized)
- .entity(new ErrorDTO(unauthorized.getStatusCode(), "Username or password is invalid")).build();
- }
-}
diff --git a/services/security-azure/src/main/java/com/epam/dlab/auth/azure/AzureLocalAuthResponse.java b/services/security-azure/src/main/java/com/epam/dlab/auth/azure/AzureLocalAuthResponse.java
deleted file mode 100644
index 2616d57..0000000
--- a/services/security-azure/src/main/java/com/epam/dlab/auth/azure/AzureLocalAuthResponse.java
+++ /dev/null
@@ -1,42 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package com.epam.dlab.auth.azure;
-
-import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
-import com.fasterxml.jackson.annotation.JsonInclude;
-import com.fasterxml.jackson.annotation.JsonProperty;
-import lombok.AllArgsConstructor;
-import lombok.Data;
-import lombok.NoArgsConstructor;
-
-@Data
-@AllArgsConstructor
-@NoArgsConstructor
-@JsonIgnoreProperties(ignoreUnknown = true)
-@JsonInclude(JsonInclude.Include.NON_EMPTY)
-public class AzureLocalAuthResponse {
- @JsonProperty("access_token")
- private String authenticationToken;
- @JsonProperty("username")
- private String userName;
- @JsonProperty("error_message")
- private String errorMessage;
-
-}
diff --git a/services/security-azure/src/main/java/com/epam/dlab/auth/azure/AzureLoginUrlBuilder.java b/services/security-azure/src/main/java/com/epam/dlab/auth/azure/AzureLoginUrlBuilder.java
deleted file mode 100644
index 52f701b..0000000
--- a/services/security-azure/src/main/java/com/epam/dlab/auth/azure/AzureLoginUrlBuilder.java
+++ /dev/null
@@ -1,75 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package com.epam.dlab.auth.azure;
-
-import com.epam.dlab.auth.conf.AzureLoginConfiguration;
-import com.google.inject.Singleton;
-import lombok.extern.slf4j.Slf4j;
-
-import javax.xml.bind.DataBindingException;
-import java.io.UnsupportedEncodingException;
-import java.net.URLEncoder;
-
-/**
- * Builds login url for authentication through Azure Active Directory using OAuth2 protocol
- */
-@Slf4j
-@Singleton
-public class AzureLoginUrlBuilder {
- private AzureLoginConfiguration azureLoginConfiguration;
-
- public AzureLoginUrlBuilder(AzureLoginConfiguration azureLoginConfiguration) {
- this.azureLoginConfiguration = azureLoginConfiguration;
- }
-
- String buildLoginUrl() {
- return azureLoginConfiguration.getLoginPage();
- }
-
- String buildLoginUrl(String state) {
- return buildLoginUrl(state, azureLoginConfiguration.getPrompt());
- }
-
- String buildSilentLoginUrl(String state) {
- log.info("Silent login is {}", azureLoginConfiguration.isSilent());
-
- if (azureLoginConfiguration.isSilent()) {
- return buildLoginUrl(state, "none");
- } else {
- return buildLoginUrl(state);
- }
- }
-
- private String buildLoginUrl(String state, String prompt) {
- try {
- return String.format("%s/%s/oauth2/authorize?client_id=%s&redirect_uri=%s&response_type=code&response_mode=%s&prompt=%s&state=%s",
- azureLoginConfiguration.getAuthority(),
- azureLoginConfiguration.getTenant(),
- azureLoginConfiguration.getClientId(),
- URLEncoder.encode(azureLoginConfiguration.getRedirectUrl(), "UTF-8"),
- azureLoginConfiguration.getResponseMode(),
- prompt,
- state);
- } catch (UnsupportedEncodingException e) {
- log.error("Cannot create login url", e);
- throw new DataBindingException("Cannot handle authorization info", e);
- }
- }
-}
diff --git a/services/security-azure/src/main/java/com/epam/dlab/auth/azure/AzureSecurityResource.java b/services/security-azure/src/main/java/com/epam/dlab/auth/azure/AzureSecurityResource.java
deleted file mode 100644
index 335da2d..0000000
--- a/services/security-azure/src/main/java/com/epam/dlab/auth/azure/AzureSecurityResource.java
+++ /dev/null
@@ -1,116 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package com.epam.dlab.auth.azure;
-
-import com.epam.dlab.auth.azure.service.AzureAuthorizationCodeService;
-import com.epam.dlab.auth.conf.AzureLoginConfiguration;
-import com.epam.dlab.dto.azure.auth.AuthorizationCodeFlowResponse;
-import com.epam.dlab.exceptions.DlabAuthenticationException;
-import com.epam.dlab.rest.dto.ErrorDTO;
-import com.google.common.cache.Cache;
-import com.google.common.cache.CacheBuilder;
-import com.google.inject.Inject;
-import lombok.extern.slf4j.Slf4j;
-
-import javax.ws.rs.*;
-import javax.ws.rs.core.MediaType;
-import javax.ws.rs.core.Response;
-import java.net.URI;
-import java.util.UUID;
-import java.util.concurrent.TimeUnit;
-
-@Path("/user/azure")
-@Consumes(MediaType.APPLICATION_JSON)
-@Produces(MediaType.APPLICATION_JSON)
-@Slf4j
-public class AzureSecurityResource {
-
- private static final Object DUMMY = new Object();
- private final Cache<String, Object> cache = CacheBuilder.newBuilder().expireAfterWrite(4, TimeUnit.HOURS)
- .maximumSize(10000).build();
-
- @Inject
- private AzureAuthorizationCodeService authorizationCodeService;
-
- @Inject
- private AzureLoginUrlBuilder azureLoginUrlBuilder;
-
- @Inject
- private AzureLoginConfiguration azureLoginConfiguration;
-
- @GET
- @Path("/init")
- public Response login() {
-
- log.debug("Init oauth silent login flow");
- String uuid = UUID.randomUUID().toString();
- log.info("Register oauth state {}", uuid);
- cache.put(uuid, DUMMY);
-
- return Response.ok(azureLoginUrlBuilder.buildSilentLoginUrl(uuid)).build();
- }
-
- @POST
- @Path("/oauth")
- public Response login(AuthorizationCodeFlowResponse authorizationCodeFlowResponse) {
- log.info("Authenticate client {}", authorizationCodeFlowResponse);
- if (authorizationCodeFlowResponse.isSuccessful()) {
- log.debug("Successfully received auth code {}", authorizationCodeFlowResponse);
- if (cache.getIfPresent(authorizationCodeFlowResponse.getState()) != null) {
- return getAccessTokenResponse(authorizationCodeFlowResponse);
- } else {
- log.warn("Malformed authorization code is retrieved for state {}", authorizationCodeFlowResponse);
- }
- } else {
- log.info("Check if silent authentication {}", authorizationCodeFlowResponse);
- if (cache.getIfPresent(authorizationCodeFlowResponse.getState()) != null
- && ("login_required".equals(authorizationCodeFlowResponse.getError())
- || "interaction_required".equals(authorizationCodeFlowResponse.getError()))) {
-
- log.debug("Silent authentication detected {}", authorizationCodeFlowResponse);
- return Response.status(Response.Status.FORBIDDEN).header("Location", URI.create(
- azureLoginUrlBuilder.buildLoginUrl(authorizationCodeFlowResponse.getState()))).build();
- }
- }
-
- log.info("Try to log in one more time");
- cache.invalidate(authorizationCodeFlowResponse.getState());
- return Response.status(Response.Status.FORBIDDEN).header("Location", URI.create(
- azureLoginUrlBuilder.buildLoginUrl())).build();
- }
-
- private Response getAccessTokenResponse(AuthorizationCodeFlowResponse authorizationCodeFlowResponse) {
- log.debug("Retrieving token from {}", authorizationCodeFlowResponse);
- try {
- final AzureLocalAuthResponse response = authorizationCodeService
- .authenticateAndLogin(new AuthorizationCodeSupplier(azureLoginConfiguration,
- authorizationCodeFlowResponse));
- log.debug("Token retrieve response {}", response);
- return Response.ok(response).build();
- } catch (DlabAuthenticationException e) {
- log.error(e.getMessage());
- final Response.Status unauthorized = Response.Status.UNAUTHORIZED;
- return Response.status(unauthorized)
- .entity(new ErrorDTO(unauthorized.getStatusCode(), e.getMessage()))
- .build();
- }
- }
-}
-
diff --git a/services/security-azure/src/main/java/com/epam/dlab/auth/azure/RoleAssignment.java b/services/security-azure/src/main/java/com/epam/dlab/auth/azure/RoleAssignment.java
deleted file mode 100644
index a11aff9..0000000
--- a/services/security-azure/src/main/java/com/epam/dlab/auth/azure/RoleAssignment.java
+++ /dev/null
@@ -1,37 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package com.epam.dlab.auth.azure;
-
-import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
-import com.fasterxml.jackson.annotation.JsonProperty;
-import lombok.Data;
-
-@Data
-@JsonIgnoreProperties(ignoreUnknown = true)
-public class RoleAssignment {
- @JsonProperty
- private RoleAssignmentProperties properties;
- @JsonProperty
- private String id;
- @JsonProperty
- private String type;
- @JsonProperty
- private String name;
-}
diff --git a/services/security-azure/src/main/java/com/epam/dlab/auth/azure/RoleAssignmentProperties.java b/services/security-azure/src/main/java/com/epam/dlab/auth/azure/RoleAssignmentProperties.java
deleted file mode 100644
index b6e6331..0000000
--- a/services/security-azure/src/main/java/com/epam/dlab/auth/azure/RoleAssignmentProperties.java
+++ /dev/null
@@ -1,43 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package com.epam.dlab.auth.azure;
-
-import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
-import com.fasterxml.jackson.annotation.JsonProperty;
-import lombok.Data;
-
-@Data
-@JsonIgnoreProperties(ignoreUnknown = true)
-public class RoleAssignmentProperties {
- @JsonProperty
- private String roleDefinitionId;
- @JsonProperty
- private String principalId;
- @JsonProperty
- private String scope;
- @JsonProperty
- private String createdOn;
- @JsonProperty
- private String updatedOn;
- @JsonProperty
- private String createdBy;
- @JsonProperty
- private String updatedBy;
-}
diff --git a/services/security-azure/src/main/java/com/epam/dlab/auth/azure/RoleAssignmentResponse.java b/services/security-azure/src/main/java/com/epam/dlab/auth/azure/RoleAssignmentResponse.java
deleted file mode 100644
index bf05172..0000000
--- a/services/security-azure/src/main/java/com/epam/dlab/auth/azure/RoleAssignmentResponse.java
+++ /dev/null
@@ -1,35 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package com.epam.dlab.auth.azure;
-
-import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
-import com.fasterxml.jackson.annotation.JsonProperty;
-import lombok.Data;
-
-import java.util.List;
-
-@Data
-@JsonIgnoreProperties(ignoreUnknown = true)
-public class RoleAssignmentResponse {
- @JsonProperty
- private List<RoleAssignment> value;
- @JsonProperty
- private String nextLink;
-}
diff --git a/services/security-azure/src/main/java/com/epam/dlab/auth/azure/UsernamePasswordSupplier.java b/services/security-azure/src/main/java/com/epam/dlab/auth/azure/UsernamePasswordSupplier.java
deleted file mode 100644
index b80d4c0..0000000
--- a/services/security-azure/src/main/java/com/epam/dlab/auth/azure/UsernamePasswordSupplier.java
+++ /dev/null
@@ -1,43 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package com.epam.dlab.auth.azure;
-
-import com.epam.dlab.auth.conf.AzureLoginConfiguration;
-import com.epam.dlab.auth.dto.UserCredentialDTO;
-import com.microsoft.aad.adal4j.AuthenticationContext;
-import com.microsoft.aad.adal4j.AuthenticationResult;
-
-import java.util.concurrent.Future;
-
-class UsernamePasswordSupplier extends AuthorizationSupplier {
- private final UserCredentialDTO credentialDTO;
-
- UsernamePasswordSupplier(AzureLoginConfiguration azureLoginConfiguration,
- UserCredentialDTO credentialDTO) {
- super(azureLoginConfiguration);
- this.credentialDTO = credentialDTO;
- }
-
- public Future<AuthenticationResult> get(AuthenticationContext context, String resource) {
- return context
- .acquireToken(resource, azureLoginConfiguration.getClientId(), credentialDTO.getUsername(),
- credentialDTO.getPassword(), null);
- }
-}
\ No newline at end of file
diff --git a/services/security-azure/src/main/java/com/epam/dlab/auth/azure/service/AzureAuthorizationCodeService.java b/services/security-azure/src/main/java/com/epam/dlab/auth/azure/service/AzureAuthorizationCodeService.java
deleted file mode 100644
index f8f2c32..0000000
--- a/services/security-azure/src/main/java/com/epam/dlab/auth/azure/service/AzureAuthorizationCodeService.java
+++ /dev/null
@@ -1,46 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package com.epam.dlab.auth.azure.service;
-
-import com.epam.dlab.auth.azure.AuthorizationSupplier;
-import com.epam.dlab.auth.azure.AzureLocalAuthResponse;
-import com.microsoft.aad.adal4j.AuthenticationResult;
-
-import javax.ws.rs.core.Response;
-
-public interface AzureAuthorizationCodeService {
-
- /**
- * Authenticates user that provided by <code>authorizationSupplier</code>
- *
- * @param authorizationSupplier contains user info that is used for authentication
- * @return response {@link Response} with proper status {@link Response.Status} that means result of
- * the user authentication.
- */
- AzureLocalAuthResponse authenticateAndLogin(AuthorizationSupplier authorizationSupplier);
-
- /**
- * Verifies if user has permissions to configured scope in configuration file
- *
- * @param authenticationResult result retrieved after authentication against Azure platform
- * @return <code>true</code> if user is allowed, <code>false</code> otherwise
- */
- boolean validatePermissions(AuthenticationResult authenticationResult);
-}
diff --git a/services/security-azure/src/main/java/com/epam/dlab/auth/azure/service/AzureAuthorizationCodeServiceImpl.java b/services/security-azure/src/main/java/com/epam/dlab/auth/azure/service/AzureAuthorizationCodeServiceImpl.java
deleted file mode 100644
index 0c3a0b5..0000000
--- a/services/security-azure/src/main/java/com/epam/dlab/auth/azure/service/AzureAuthorizationCodeServiceImpl.java
+++ /dev/null
@@ -1,231 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package com.epam.dlab.auth.azure.service;
-
-import com.epam.dlab.auth.UserInfo;
-import com.epam.dlab.auth.UserInfoDAO;
-import com.epam.dlab.auth.azure.AuthorizationSupplier;
-import com.epam.dlab.auth.azure.AzureLocalAuthResponse;
-import com.epam.dlab.auth.azure.RoleAssignment;
-import com.epam.dlab.auth.azure.RoleAssignmentResponse;
-import com.epam.dlab.exceptions.DlabAuthenticationException;
-import com.epam.dlab.exceptions.DlabException;
-import com.fasterxml.jackson.core.type.TypeReference;
-import com.fasterxml.jackson.databind.ObjectMapper;
-import com.google.inject.Inject;
-import com.microsoft.aad.adal4j.AuthenticationContext;
-import com.microsoft.aad.adal4j.AuthenticationResult;
-import com.microsoft.azure.AzureEnvironment;
-import com.microsoft.azure.credentials.ApplicationTokenCredentials;
-import lombok.extern.slf4j.Slf4j;
-
-import javax.ws.rs.ClientErrorException;
-import javax.ws.rs.client.Client;
-import javax.ws.rs.client.ClientBuilder;
-import javax.ws.rs.core.MediaType;
-import java.io.File;
-import java.io.IOException;
-import java.net.MalformedURLException;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-import java.util.concurrent.ExecutionException;
-import java.util.concurrent.ExecutorService;
-import java.util.concurrent.Executors;
-import java.util.concurrent.Future;
-import java.util.stream.Collectors;
-
-import static com.epam.dlab.auth.rest.AbstractAuthenticationService.getRandomToken;
-
-@Slf4j
-public class AzureAuthorizationCodeServiceImpl implements AzureAuthorizationCodeService {
- @Inject
- private UserInfoDAO userInfoDao;
-
- private final String authority;
- private String clientId;
- private String tenantId;
- private String clientSecret;
- private final String permissionScope;
- private final boolean validatePermissionScope;
-
- public AzureAuthorizationCodeServiceImpl(String authority, String permissionScope, String managementApiAuthFile,
- boolean validatePermissionScope) throws IOException {
- this.authority = authority;
- this.permissionScope = permissionScope;
- this.validatePermissionScope = validatePermissionScope;
-
- if (validatePermissionScope) {
- Map<String, String> authenticationParameters = new ObjectMapper()
- .readValue(new File(managementApiAuthFile),
- new TypeReference<HashMap<String, String>>() {
- });
-
- this.clientId = authenticationParameters.get("clientId");
- this.tenantId = authenticationParameters.get("tenantId");
- this.clientSecret = authenticationParameters.get("clientSecret");
-
- if (clientId == null || tenantId == null || clientSecret == null) {
- throw new DlabException("Authentication information not configured to use Management API");
- }
- }
- }
-
- @Override
- public AzureLocalAuthResponse authenticateAndLogin(AuthorizationSupplier authorizationSupplier) {
- AuthenticationResult authenticationResult = authenticate(authorizationSupplier,
- AzureEnvironment.AZURE.dataLakeEndpointResourceId());
-
- if (validatePermissions(authenticationResult)) {
-
- UserInfo userInfo = prepareUserInfo(authenticationResult);
- userInfoDao.saveUserInfo(userInfo);
-
- return new AzureLocalAuthResponse(userInfo.getAccessToken(),
- userInfo.getName(), null);
- }
- throw new DlabAuthenticationException("You do not have proper permissions to use DLab. Please contact your " +
- "administrator");
- }
-
- @Override
- public boolean validatePermissions(AuthenticationResult authenticationResult) {
- if (!validatePermissionScope) {
- log.info("Verification of user permissions is disabled");
- return true;
- }
-
- Client client = null;
- RoleAssignmentResponse roleAssignmentResponse;
- try {
- client = ClientBuilder.newClient();
-
- roleAssignmentResponse = client
- .target(AzureEnvironment.AZURE.resourceManagerEndpoint()
- + permissionScope + "roleAssignments")
- .queryParam("api-version", "2015-07-01")
- .queryParam("$filter", String.format("assignedTo('%s')",
- authenticationResult.getUserInfo().getUniqueId()))
- .request(MediaType.APPLICATION_JSON_TYPE)
- .header("Authorization", String.format("Bearer %s", getManagementApiToken()))
- .get(RoleAssignmentResponse.class);
-
- } catch (ClientErrorException e) {
- log.error("Cannot validate permissions due to {}", (e.getResponse() != null && e.getResponse().hasEntity())
- ? e.getResponse().readEntity(String.class) : "");
- log.error("Error during permission validation", e);
- throw e;
- } catch (RuntimeException e) {
- log.error("Cannot validate permissions due to", e);
- throw e;
- } finally {
- if (client != null) {
- client.close();
- }
- }
-
- return checkRoles(roleAssignmentResponse, authenticationResult);
- }
-
- private String getManagementApiToken() {
- try {
-
- log.info("Requesting authentication token ... ");
-
- ApplicationTokenCredentials applicationTokenCredentials = new ApplicationTokenCredentials(
- clientId, tenantId, clientSecret,
- AzureEnvironment.AZURE);
-
- return applicationTokenCredentials.getToken(AzureEnvironment.AZURE.resourceManagerEndpoint());
- } catch (IOException e) {
- log.error("Cannot retrieve authentication token due to", e);
- throw new DlabException("Cannot retrieve authentication token", e);
- }
- }
-
-
- private AuthenticationResult authenticate(AuthorizationSupplier authorizationSupplier, String resource) {
- AuthenticationResult result;
- ExecutorService executorService = Executors.newFixedThreadPool(1);
-
- try {
-
- AuthenticationContext context = new AuthenticationContext(authority, true, executorService);
- Future<AuthenticationResult> future = authorizationSupplier.get(context, resource);
-
- result = future.get();
-
- } catch (MalformedURLException | InterruptedException e) {
- log.error("Authentication to {} is failed", resource, e);
- throw new DlabException(String.format("Cannot get token to %s", resource), e);
-
- } catch (ExecutionException e) {
- if (e.getCause() instanceof RuntimeException) {
- throw (RuntimeException) e.getCause();
- }
-
- throw new DlabException(String.format("Cannot get token to %s", resource), e);
-
- } finally {
- executorService.shutdown();
- }
-
- if (result == null) {
- throw new DlabException("Authentication result was null");
- }
-
- return result;
- }
-
- private UserInfo prepareUserInfo(AuthenticationResult authenticationResult) {
- com.microsoft.aad.adal4j.UserInfo ui = authenticationResult.getUserInfo();
- log.info("Extracted user info display id {}, {} {}", ui.getDisplayableId(), ui.getGivenName(),
- ui.getFamilyName());
-
- if (ui.getDisplayableId() != null && !ui.getDisplayableId().isEmpty()) {
- UserInfo userInfo = new UserInfo(ui.getDisplayableId(), getRandomToken());
- userInfo.setFirstName(ui.getGivenName());
- userInfo.setLastName(ui.getFamilyName());
- userInfo.getKeys().put("refresh_token", authenticationResult.getRefreshToken());
- userInfo.getKeys().put("created_date_of_refresh_token", Long.toString(System.currentTimeMillis()));
- return userInfo;
- }
-
- throw new DlabException("Cannot verify user identity");
- }
-
- private boolean checkRoles(RoleAssignmentResponse response, AuthenticationResult authenticationResult) {
-
- List<RoleAssignment> roles = (response != null) ? response.getValue() : null;
- if (roles != null && !roles.isEmpty()) {
- log.info("User {} has {} roles in configured scope for security",
- authenticationResult.getUserInfo().getDisplayableId(), roles.size());
-
- log.debug("User's({}) roles are {}", authenticationResult.getUserInfo().getDisplayableId(),
- roles.stream().map(RoleAssignment::getName).collect(Collectors.toList()));
- return true;
-
- } else {
- log.info("User {} does not have any roles in configured scope for security",
- authenticationResult.getUserInfo().getDisplayableId());
-
- throw new DlabException("User does not have any roles in pre-configured security scope for DLab");
- }
- }
-}
diff --git a/services/security-gcp/pom.xml b/services/security-gcp/pom.xml
deleted file mode 100644
index d6d0d6a..0000000
--- a/services/security-gcp/pom.xml
+++ /dev/null
@@ -1,66 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
- ~ Licensed to the Apache Software Foundation (ASF) under one
- ~ or more contributor license agreements. See the NOTICE file
- ~ distributed with this work for additional information
- ~ regarding copyright ownership. The ASF licenses this file
- ~ to you under the Apache License, Version 2.0 (the
- ~ "License"); you may not use this file except in compliance
- ~ with the License. You may obtain a copy of the License at
- ~
- ~ http://www.apache.org/licenses/LICENSE-2.0
- ~
- ~ Unless required by applicable law or agreed to in writing,
- ~ software distributed under the License is distributed on an
- ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- ~ KIND, either express or implied. See the License for the
- ~ specific language governing permissions and limitations
- ~ under the License.
- -->
-
-<project xmlns="http://maven.apache.org/POM/4.0.0"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
- <parent>
- <artifactId>dlab</artifactId>
- <groupId>com.epam.dlab</groupId>
- <version>1.0</version>
- <relativePath>../../pom.xml</relativePath>
- </parent>
- <modelVersion>4.0.0</modelVersion>
-
- <artifactId>security-gcp</artifactId>
-
- <dependencies>
- <dependency>
- <groupId>com.epam.dlab</groupId>
- <artifactId>common</artifactId>
- <version>${project.parent.version}</version>
- </dependency>
-
- <dependency>
- <groupId>com.epam.dlab</groupId>
- <artifactId>dlab-model</artifactId>
- <version>${project.parent.version}</version>
- </dependency>
-
- <dependency>
- <groupId>com.google.api-client</groupId>
- <artifactId>google-api-client-java6</artifactId>
- <version>1.23.0</version>
- </dependency>
- <dependency>
- <groupId>com.epam.dlab</groupId>
- <artifactId>dlab-webapp-common</artifactId>
- <version>${project.parent.version}</version>
- <scope>provided</scope>
- </dependency>
- <dependency>
- <groupId>com.google.apis</groupId>
- <artifactId>google-api-services-plus</artifactId>
- <version>v1-rev540-1.23.0</version>
- </dependency>
- </dependencies>
-
-
-</project>
\ No newline at end of file
diff --git a/services/security-gcp/src/main/java/com/epam/dlab/auth/gcp/resources/GcpOauth2SecurityResource.java b/services/security-gcp/src/main/java/com/epam/dlab/auth/gcp/resources/GcpOauth2SecurityResource.java
deleted file mode 100644
index 5758a3f..0000000
--- a/services/security-gcp/src/main/java/com/epam/dlab/auth/gcp/resources/GcpOauth2SecurityResource.java
+++ /dev/null
@@ -1,56 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package com.epam.dlab.auth.gcp.resources;
-
-
-import com.epam.dlab.auth.contract.SecurityAPI;
-import com.epam.dlab.auth.oauth2.Oauth2AuthenticationService;
-import com.epam.dlab.dto.gcp.auth.GcpOauth2AuthorizationCodeResponse;
-import com.epam.dlab.exceptions.DlabAuthenticationException;
-import com.google.inject.Inject;
-
-import javax.ws.rs.GET;
-import javax.ws.rs.POST;
-import javax.ws.rs.Path;
-import javax.ws.rs.core.Response;
-
-import static java.util.Objects.nonNull;
-
-@Path("/")
-public class GcpOauth2SecurityResource {
-
- @Inject
- private Oauth2AuthenticationService authenticationService;
-
- @GET
- @Path(SecurityAPI.INIT_LOGIN_OAUTH_GCP)
- public Response redirectedUrl() {
- return Response.ok(authenticationService.getRedirectedUrl()).build();
- }
-
- @POST
- @Path(SecurityAPI.LOGIN_OAUTH)
- public Response oauthLogin(GcpOauth2AuthorizationCodeResponse codeResponse) {
- if (nonNull(codeResponse.getErrorMessage())) {
- throw new DlabAuthenticationException(codeResponse.getErrorMessage());
- }
- return Response.ok(authenticationService.authorize(codeResponse.getCode(), codeResponse.getState())).build();
- }
-}
diff --git a/services/security-gcp/src/main/java/com/epam/dlab/auth/gcp/service/GcpAuthenticationService.java b/services/security-gcp/src/main/java/com/epam/dlab/auth/gcp/service/GcpAuthenticationService.java
deleted file mode 100644
index 3f70ce9..0000000
--- a/services/security-gcp/src/main/java/com/epam/dlab/auth/gcp/service/GcpAuthenticationService.java
+++ /dev/null
@@ -1,110 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package com.epam.dlab.auth.gcp.service;
-
-import com.epam.dlab.auth.UserInfo;
-import com.epam.dlab.auth.UserInfoDAO;
-import com.epam.dlab.auth.conf.GcpLoginConfiguration;
-import com.epam.dlab.auth.oauth2.Oauth2AuthenticationService;
-import com.epam.dlab.exceptions.DlabAuthenticationException;
-import com.epam.dlab.exceptions.DlabException;
-import com.google.api.client.auth.oauth2.AuthorizationCodeFlow;
-import com.google.api.client.auth.oauth2.TokenResponse;
-import com.google.api.client.http.HttpTransport;
-import com.google.api.client.json.jackson2.JacksonFactory;
-import com.google.api.services.plus.Plus;
-import com.google.api.services.plus.model.Person;
-import com.google.common.cache.Cache;
-import com.google.inject.Inject;
-import com.google.inject.Singleton;
-import lombok.extern.slf4j.Slf4j;
-
-import java.io.IOException;
-import java.util.Objects;
-import java.util.UUID;
-
-@Singleton
-@Slf4j
-public class GcpAuthenticationService implements Oauth2AuthenticationService {
-
- private static final Object DUMMY = new Object();
- @Inject
- private AuthorizationCodeFlow codeFlow;
- @Inject
- private GcpLoginConfiguration configuration;
- @Inject
- private Cache<String, Object> cache;
- @Inject
- private UserInfoDAO userInfoDAO;
- @Inject
- private HttpTransport httpTransport;
- @Inject
- private JacksonFactory jacksonFactory;
-
- @Override
- public String getRedirectedUrl() {
- String uuid = UUID.randomUUID().toString();
- log.trace("Registered oauth state {}", uuid);
- cache.put(uuid, DUMMY);
- return codeFlow.newAuthorizationUrl()
- .setState(uuid)
- .setRedirectUri(configuration.getRedirectedUri()).build();
- }
-
- @Override
- public String authorize(String code, String state) {
- if (Objects.nonNull(cache.getIfPresent(state))) {
- final UserInfo userInfo = getUserInfo(code);
- userInfoDAO.saveUserInfo(userInfo);
- log.trace("Removing oauth state {}", state);
- cache.invalidate(state);
- log.debug("Successfully login user {} using oauth2", userInfo.getName());
- return userInfo.getAccessToken();
- }
- log.error("There is no state {} present in cache", state);
- throw new DlabAuthenticationException("You do not have proper permissions to use DLab. Please contact your " +
- "administrator");
- }
-
- private UserInfo getUserInfo(String code) {
- try {
- final TokenResponse tokenResponse = codeFlow.newTokenRequest(code)
- .setRedirectUri(configuration.getRedirectedUri())
- .execute();
- Plus plus = new Plus.
- Builder(httpTransport, jacksonFactory, codeFlow.createAndStoreCredential(tokenResponse, null))
- .setApplicationName(configuration.getApplicationName())
- .build();
- return toUserInfo(plus.people().get("me").execute());
- } catch (IOException e) {
- log.error("Exception occurred during google oauth2 authentication: {}", e.getMessage());
- throw new DlabException("Exception occurred during google oauth2 authentication: " + e.getMessage());
- }
- }
-
- private UserInfo toUserInfo(Person googleUser) {
- log.trace("Creating user from google user: {}", googleUser.getDisplayName());
- final UserInfo userInfo = new UserInfo(googleUser.getDisplayName(), UUID.randomUUID().toString());
- final Person.Name name = googleUser.getName();
- userInfo.setFirstName(name.getGivenName());
- userInfo.setLastName(name.getFamilyName());
- return userInfo;
- }
-}
diff --git a/services/security-service/pom.xml b/services/security-service/pom.xml
deleted file mode 100644
index 264b60c..0000000
--- a/services/security-service/pom.xml
+++ /dev/null
@@ -1,183 +0,0 @@
-<!--
- ~ Licensed to the Apache Software Foundation (ASF) under one
- ~ or more contributor license agreements. See the NOTICE file
- ~ distributed with this work for additional information
- ~ regarding copyright ownership. The ASF licenses this file
- ~ to you under the Apache License, Version 2.0 (the
- ~ "License"); you may not use this file except in compliance
- ~ with the License. You may obtain a copy of the License at
- ~
- ~ http://www.apache.org/licenses/LICENSE-2.0
- ~
- ~ Unless required by applicable law or agreed to in writing,
- ~ software distributed under the License is distributed on an
- ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- ~ KIND, either express or implied. See the License for the
- ~ specific language governing permissions and limitations
- ~ under the License.
- -->
-
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
- <modelVersion>4.0.0</modelVersion>
- <parent>
- <groupId>com.epam.dlab</groupId>
- <artifactId>dlab</artifactId>
- <version>1.0</version>
- <relativePath>../../pom.xml</relativePath>
- </parent>
-
- <profiles>
- <profile>
- <id>aws</id>
- <dependencies>
- <dependency>
- <groupId>com.epam.dlab</groupId>
- <artifactId>security-aws</artifactId>
- <version>${project.version}</version>
- </dependency>
- </dependencies>
- </profile>
- <profile>
- <id>azure</id>
- <dependencies>
- <dependency>
- <groupId>com.epam.dlab</groupId>
- <artifactId>security-azure</artifactId>
- <version>${project.version}</version>
- </dependency>
- </dependencies>
- </profile>
- <profile>
- <id>gcp</id>
- <dependencies>
- <dependency>
- <groupId>com.epam.dlab</groupId>
- <artifactId>security-gcp</artifactId>
- <version>${project.version}</version>
- </dependency>
- </dependencies>
- </profile>
- </profiles>
-
- <artifactId>security-service</artifactId>
-
- <properties>
- <org.apache.directory.api.version>1.0.0-RC1</org.apache.directory.api.version>
- <jython-standalone.version>2.7.0</jython-standalone.version>
- </properties>
-
- <dependencies>
- <dependency>
- <groupId>com.epam.dlab</groupId>
- <artifactId>common</artifactId>
- </dependency>
- <dependency>
- <groupId>de.thomaskrille</groupId>
- <artifactId>dropwizard-template-config</artifactId>
- </dependency>
- <dependency>
- <groupId>com.epam.dlab</groupId>
- <artifactId>dlab-webapp-common</artifactId>
- <version>${project.parent.version}</version>
- </dependency>
- <dependency>
- <groupId>com.epam.dlab</groupId>
- <artifactId>security-aws</artifactId>
- <version>${project.version}</version>
- <scope>provided</scope>
- </dependency>
- <dependency>
- <groupId>com.epam.dlab</groupId>
- <artifactId>security-azure</artifactId>
- <version>${project.version}</version>
- <scope>provided</scope>
- </dependency>
- <dependency>
- <groupId>com.epam.dlab</groupId>
- <artifactId>security-gcp</artifactId>
- <version>${project.version}</version>
- <scope>provided</scope>
- </dependency>
- <dependency>
- <groupId>org.apache.directory.api</groupId>
- <artifactId>api-all</artifactId>
- <version>${org.apache.directory.api.version}</version>
- </dependency>
- <dependency>
- <groupId>org.python</groupId>
- <artifactId>jython-standalone</artifactId>
- <version>${jython-standalone.version}</version>
- </dependency>
- <dependency>
- <groupId>org.mongodb</groupId>
- <artifactId>mongo-java-driver</artifactId>
- <version>${org.mongodb.version}</version>
- </dependency>
- <dependency>
- <groupId>com.aegisql</groupId>
- <artifactId>conveyor</artifactId>
- <version>${com.aegisql.conveyor.version}</version>
- </dependency>
- <dependency>
- <groupId>com.epam.dlab</groupId>
- <artifactId>dlab-utils</artifactId>
- <version>${project.parent.version}</version>
- </dependency>
- <dependency>
- <groupId>org.mockito</groupId>
- <artifactId>mockito-core</artifactId>
- <version>${org.mockito.version}</version>
- <scope>test</scope>
- </dependency>
- </dependencies>
-
- <build>
- <plugins>
- <plugin>
- <artifactId>maven-shade-plugin</artifactId>
- <version>${maven-shade-plugin.version}</version>
- <executions>
- <execution>
- <phase>package</phase>
- <goals>
- <goal>shade</goal>
- </goals>
- <configuration>
- <filters>
- <filter>
- <artifact>com.microsoft*:*</artifact>
- <excludes>
- <exclude>META-INF/*.SF</exclude>
- <exclude>META-INF/*.DSA</exclude>
- <exclude>META-INF/*.RSA</exclude>
- </excludes>
- </filter>
- </filters>
- <createDependencyReducedPom>false</createDependencyReducedPom>
- <transformers>
- <transformer
- implementation="org.apache.maven.plugins.shade.resource.ServicesResourceTransformer"/>
- <transformer
- implementation="org.apache.maven.plugins.shade.resource.ManifestResourceTransformer">
- <mainClass>com.epam.dlab.auth.SecurityServiceApplication</mainClass>
- <manifestEntries>
- <Created-By><EPAM> Systems</Created-By>
- <Name>com/epam/dlab</Name>
- <Implementation-Title>DLab Security Service</Implementation-Title>
- <Implementation-Version>${dlab.version}</Implementation-Version>
- <Implementation-Vendor><EPAM> Systems</Implementation-Vendor>
- <Build-Time>${maven.build.timestamp}</Build-Time>
- <Build-OS>${os.name}</Build-OS>
- <GIT-Branch>${scmBranch}</GIT-Branch>
- <GIT-Commit>${buildNumber}</GIT-Commit>
- </manifestEntries>
- </transformer>
- </transformers>
- </configuration>
- </execution>
- </executions>
- </plugin>
- </plugins>
- </build>
-</project>
\ No newline at end of file
diff --git a/services/security-service/security.yml b/services/security-service/security.yml
deleted file mode 100644
index 54dcb4d..0000000
--- a/services/security-service/security.yml
+++ /dev/null
@@ -1,150 +0,0 @@
-# *****************************************************************************
-#
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations
-# under the License.
-#
-# ******************************************************************************
-
-<#include "ssn.yml">
-
-ldapUseConnectionPool: false
-ldapConnectionConfig:
-# ldapHost: localhost
- ldapHost: LDAP_HOST
-# ldapPort: 3890
- ldapPort: 389
- name: LDAP_USER,LDAP_DN
- credentials: LDAP_PASS
-useLdapBindTemplate: true
-ldapBindTemplate: uid=%s,LDAP_OU,LDAP_DN
-ldapBindAttribute: uid
-ldapSearchAttribute: uid
-ldapGroupAttribute: memberUid
-ldapGroupNameAttribute: cn
-ldapGroupUserAttribute: uid
-ldapSearchRequest:
- expirationTimeMsec: 600000
- scope: SUBTREE
- attributes:
- - cn
- - mail
- - uid
- - gidNumber
- timeLimit: 0
- base: LDAP_DN
- filter: "(&(objectClass=inetOrgPerson)(uid=$LDAP_SEARCH_ATTRIBUTE))"
-ldapGroupSearchRequest:
- expirationTimeMsec: 600000
- scope: SUBTREE
- attributes:
- - cn
- - memberUid
- timeLimit: 0
- base: LDAP_DN
- filter: "(&(objectClass=posixGroup))"
-server:
- requestLog:
- appenders:
- - type: file
- currentLogFilename: ${LOG_ROOT_DIR}/ssn/request-security.log
- archive: true
- archivedLogFilenamePattern: ${LOG_ROOT_DIR}/ssn/request-security-%d{yyyy-MM-dd}.log.gz
- archivedFileCount: 10
- applicationConnectors:
- - type: https
- port: 8090
- certAlias: dlab
- validateCerts: true
- keyStorePath: ${KEY_STORE_PATH}
- keyStorePassword: ${KEY_STORE_PASSWORD}
- trustStorePath: ${TRUST_STORE_PATH}
- trustStorePassword: ${TRUST_STORE_PASSWORD}
- adminConnectors:
- - type: https
- port: 8091
- certAlias: dlab
- validateCerts: true
- keyStorePath: ${KEY_STORE_PATH}
- keyStorePassword: ${KEY_STORE_PASSWORD}
- trustStorePath: ${TRUST_STORE_PATH}
- trustStorePassword: ${TRUST_STORE_PASSWORD}
-
-userInfoPersistenceEnabled: true
-
-<#if CLOUD_TYPE == "aws">
-awsUserIdentificationEnabled: true
-loginAuthenticationTimeout: 10
-<#elseif CLOUD_TYPE == "azure">
-loginAuthenticationTimeout: 20
-
-# Azure login configuration
-azureLoginConfiguration:
- # defines of LDAP server is used as authentication point, if false Azure OAuth authentication should be configured
- useLdap: <LOGIN_USE_LDAP>
- # Tenant id in Azure
- tenant: <LOGIN_TENANT_ID>
- # Authority url
- authority: https://login.microsoftonline.com/
- # Id of the application that logs in users
- clientId: <LOGIN_APPLICATION_ID>
- # Redirect url for OAuth2 Authorization code flow
- redirectUrl: https://<LOGIN_APPLICATION_REDIRECT_URL>/
- # defines if DLab checks user permission to the configured permissionScope(true|false).
- # If user does not have permissions(no Role assigned in permissionScope) he/she will not be logged in DLab
- validatePermissionScope: <VALIDATE_PERMISSION_SCOPE>
- # Scope for validation user permissions if validatePermissionScope: true
- permissionScope: <PERMISSION_SCOPE>
- # Authentication file that used for validation user permissions(query Microsoft API)
- managementApiAuthFile: <MANAGEMENT_API_AUTH_FILE>
- # defines how authorization code is sent to DLab
- responseMode: query
- # Type of consent that requires interaction with user(consent,login are allowed)
- prompt: consent
- # Defines if try to log in user silently without user interaction (with "none" prompt). if false start with configured prompt
- silent: true
- # login page of DLab
- loginPage: https://<LOGIN_PAGE>/
-
-<#elseif CLOUD_TYPE == "gcp">
-
-# GCP oauth2 login configuration
-gcpLoginConfiguration:
- oauth2authenticationEnabled: false
- clientId: <GCP_CLIENT_ID>
- clientSecret: <GCP_CLIENT_SECRET>
- redirectedUri: https://<GCP_REDIRECTED_URL>
- userStateCacheExpirationTime: 1
- userStateCacheSize: 1000
- applicationName: DLAB-webapp
-</#if>
-
-
-logging:
- level: INFO
- loggers:
- io.dropwizard: INFO
- com.epam: DEBUG
- com.aegisql: INFO
- appenders:
-#<#if DEV_MODE == "true">
- - type: console
-#</#if>
- - type: file
- currentLogFilename: ${LOG_ROOT_DIR}/ssn/security.log
- archive: true
- archivedLogFilenamePattern: ${LOG_ROOT_DIR}/ssn/security-%d{yyyy-MM-dd}.log.gz
- archivedFileCount: 10
diff --git a/services/security-service/src/main/java/com/epam/dlab/auth/SecurityServiceApplication.java b/services/security-service/src/main/java/com/epam/dlab/auth/SecurityServiceApplication.java
deleted file mode 100644
index b7ef304..0000000
--- a/services/security-service/src/main/java/com/epam/dlab/auth/SecurityServiceApplication.java
+++ /dev/null
@@ -1,65 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package com.epam.dlab.auth;
-
-import com.epam.dlab.auth.modules.ModuleFactory;
-import com.epam.dlab.auth.modules.SecurityServiceModule;
-import com.epam.dlab.cloud.CloudModule;
-import com.epam.dlab.rest.mappers.AuthenticationExceptionMapper;
-import com.epam.dlab.util.ServiceUtils;
-import com.google.inject.Guice;
-import com.google.inject.Injector;
-import de.thomaskrille.dropwizard_template_config.TemplateConfigBundle;
-import de.thomaskrille.dropwizard_template_config.TemplateConfigBundleConfiguration;
-import io.dropwizard.Application;
-import io.dropwizard.setup.Bootstrap;
-import io.dropwizard.setup.Environment;
-import lombok.extern.slf4j.Slf4j;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-@Slf4j
-public class SecurityServiceApplication extends Application<SecurityServiceConfiguration> {
-
- private static final Logger LOG = LoggerFactory.getLogger(SecurityServiceApplication.class);
-
- public static void main(String[] args) throws Exception {
- if (ServiceUtils.printAppVersion(SecurityServiceApplication.class, args)) {
- return;
- }
- LOG.debug("Starting Security Service Application with params: {}", String.join(",", args));
- new SecurityServiceApplication().run(args);
- }
-
- @Override
- public void initialize(Bootstrap<SecurityServiceConfiguration> bootstrap) {
- bootstrap.addBundle(new TemplateConfigBundle(
- new TemplateConfigBundleConfiguration().fileIncludePath(ServiceUtils.getConfPath())
- ));
- }
-
- @Override
- public void run(SecurityServiceConfiguration conf, Environment env) {
- CloudModule cloudModule = ModuleFactory.getCloudProviderModule(conf);
- Injector injector = Guice.createInjector(new SecurityServiceModule(conf, env), cloudModule);
- env.jersey().register(new AuthenticationExceptionMapper());
- cloudModule.init(env, injector);
- }
-}
diff --git a/services/security-service/src/main/java/com/epam/dlab/auth/SecurityServiceConfiguration.java b/services/security-service/src/main/java/com/epam/dlab/auth/SecurityServiceConfiguration.java
deleted file mode 100644
index ac682ec..0000000
--- a/services/security-service/src/main/java/com/epam/dlab/auth/SecurityServiceConfiguration.java
+++ /dev/null
@@ -1,146 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-
-package com.epam.dlab.auth;
-
-import com.epam.dlab.ServiceConfiguration;
-import com.epam.dlab.auth.conf.AzureLoginConfiguration;
-import com.epam.dlab.auth.conf.GcpLoginConfiguration;
-import com.epam.dlab.auth.dao.Request;
-import com.fasterxml.jackson.annotation.JsonProperty;
-import org.apache.directory.ldap.client.api.LdapConnectionConfig;
-
-import javax.validation.constraints.Min;
-import java.util.HashMap;
-import java.util.Map;
-
-public class SecurityServiceConfiguration extends ServiceConfiguration {
- @JsonProperty
- private boolean userInfoPersistenceEnabled = false;
- @JsonProperty
- private boolean awsUserIdentificationEnabled = false;
- @JsonProperty
- private boolean ldapUseConnectionPool = false;
- @JsonProperty
- @Min(5)
- private int loginAuthenticationTimeout = 10;
- @JsonProperty
- private String ldapBindTemplate;
- @JsonProperty
- private String ldapBindAttribute;
- @JsonProperty
- private String ldapSearchAttribute;
- @JsonProperty
- private boolean useLdapBindTemplate;
- @JsonProperty
- private Map<String, String> ldapConnectionConfig = new HashMap<>();
- @JsonProperty
- private AzureLoginConfiguration azureLoginConfiguration;
- @JsonProperty
- private GcpLoginConfiguration gcpLoginConfiguration;
-
- private LdapConnectionConfig ldapConfiguration;
-
- private String ldapGroupAttribute;
- private String ldapGroupNameAttribute;
- private String ldapGroupUserAttribute;
-
- @JsonProperty
- private Request ldapSearchRequest;
-
- @JsonProperty
- private Request ldapGroupSearchRequest;
-
- public SecurityServiceConfiguration() {
- super();
- }
-
- public String getLdapGroupUserAttribute() {
- return ldapGroupUserAttribute;
- }
-
- public String getLdapGroupAttribute() {
- return ldapGroupAttribute;
- }
-
- public String getLdapGroupNameAttribute() {
- return ldapGroupNameAttribute;
- }
-
- public Request getLdapGroupSearchRequest() {
- return ldapGroupSearchRequest;
- }
-
- public boolean isUserInfoPersistenceEnabled() {
- return userInfoPersistenceEnabled;
- }
-
- public LdapConnectionConfig getLdapConnectionConfig() {
- if (ldapConfiguration == null) {
- ldapConfiguration = new LdapConnectionConfig();
- ldapConfiguration.setLdapHost(ldapConnectionConfig.get("ldapHost"));
- ldapConfiguration.setLdapPort(Integer.parseInt(ldapConnectionConfig.get("ldapPort")));
- ldapConfiguration.setName(ldapConnectionConfig.get("name"));
- ldapConfiguration.setCredentials(ldapConnectionConfig.get("credentials"));
- }
- return ldapConfiguration;
-
- }
-
- public String getLdapBindTemplate() {
- return ldapBindTemplate;
- }
-
- public String getLdapBindAttribute() {
- return ldapBindAttribute;
- }
-
- public String getLdapSearchAttribute() {
- return ldapSearchAttribute;
- }
-
- public boolean isAwsUserIdentificationEnabled() {
- return awsUserIdentificationEnabled;
- }
-
- public int getLoginAuthenticationTimeout() {
- return loginAuthenticationTimeout;
- }
-
- public boolean isLdapUseConnectionPool() {
- return ldapUseConnectionPool;
- }
-
- public AzureLoginConfiguration getAzureLoginConfiguration() {
- return azureLoginConfiguration;
- }
-
- public boolean isUseLdapBindTemplate() {
- return useLdapBindTemplate;
- }
-
- public GcpLoginConfiguration getGcpLoginConfiguration() {
- return gcpLoginConfiguration;
- }
-
- public Request getLdapSearchRequest() {
- return ldapSearchRequest;
- }
-}
diff --git a/services/security-service/src/main/java/com/epam/dlab/auth/core/DlabLdapConnection.java b/services/security-service/src/main/java/com/epam/dlab/auth/core/DlabLdapConnection.java
deleted file mode 100644
index 8b65939..0000000
--- a/services/security-service/src/main/java/com/epam/dlab/auth/core/DlabLdapConnection.java
+++ /dev/null
@@ -1,42 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package com.epam.dlab.auth.core;
-
-import com.epam.dlab.exceptions.DlabException;
-import lombok.extern.slf4j.Slf4j;
-import org.apache.directory.ldap.client.api.LdapConnection;
-
-import java.io.Closeable;
-
-@Slf4j
-public abstract class DlabLdapConnection implements Closeable {
-
- abstract LdapConnection getConnection() throws Exception;
-
- public LdapConnection getBoundConnection() throws Exception {
- final LdapConnection connection = getConnection();
- if (!connection.connect()) {
- log.error("Cannot establish a connection to LDAP server");
- throw new DlabException("Login user failed. LDAP server is not available");
- }
- connection.bind();
- return connection;
- }
-}
diff --git a/services/security-service/src/main/java/com/epam/dlab/auth/core/DlabLdapConnectionFactory.java b/services/security-service/src/main/java/com/epam/dlab/auth/core/DlabLdapConnectionFactory.java
deleted file mode 100644
index 6b9cd3f..0000000
--- a/services/security-service/src/main/java/com/epam/dlab/auth/core/DlabLdapConnectionFactory.java
+++ /dev/null
@@ -1,49 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package com.epam.dlab.auth.core;
-
-import com.epam.dlab.auth.SecurityServiceConfiguration;
-import com.google.inject.Inject;
-import com.google.inject.Singleton;
-import org.apache.directory.ldap.client.api.LdapConnectionConfig;
-import org.apache.directory.ldap.client.api.LdapConnectionPool;
-import org.apache.directory.ldap.client.api.LdapNetworkConnection;
-import org.apache.directory.ldap.client.api.ValidatingPoolableLdapConnectionFactory;
-
-@Singleton
-public class DlabLdapConnectionFactory {
-
-
- private final LdapConnectionConfig connConfig;
- private final LdapConnectionPool connectionPool;
- private final boolean usePool;
-
- @Inject
- public DlabLdapConnectionFactory(SecurityServiceConfiguration configuration) {
- this.connConfig = configuration.getLdapConnectionConfig();
- this.connectionPool = new LdapConnectionPool(new ValidatingPoolableLdapConnectionFactory(connConfig));
- this.usePool = configuration.isLdapUseConnectionPool();
- }
-
- public DlabLdapConnection newConnection() {
- return usePool ? new ReturnableConnection(connectionPool) :
- new SimpleConnection(new LdapNetworkConnection(connConfig));
- }
-}
diff --git a/services/security-service/src/main/java/com/epam/dlab/auth/core/ReturnableConnection.java b/services/security-service/src/main/java/com/epam/dlab/auth/core/ReturnableConnection.java
deleted file mode 100644
index 2a4aaca..0000000
--- a/services/security-service/src/main/java/com/epam/dlab/auth/core/ReturnableConnection.java
+++ /dev/null
@@ -1,67 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package com.epam.dlab.auth.core;
-
-import org.apache.directory.api.ldap.model.exception.LdapException;
-import org.apache.directory.ldap.client.api.LdapConnection;
-import org.apache.directory.ldap.client.api.LdapConnectionPool;
-
-import java.io.IOException;
-import java.util.Objects;
-import java.util.concurrent.locks.Lock;
-import java.util.concurrent.locks.ReentrantLock;
-
-public class ReturnableConnection extends DlabLdapConnection {
-
- private final LdapConnectionPool pool;
- private LdapConnection con;
- private final Lock lock = new ReentrantLock();
-
- public ReturnableConnection(LdapConnectionPool pool) {
- Objects.requireNonNull(pool);
- this.pool = pool;
- }
-
- @Override
- public LdapConnection getConnection() throws Exception {
- try {
- lock.lock(); //just protect from inproper use
- if (con == null) {
- con = pool.borrowObject();
- } else {
- throw new IllegalStateException("Cannot reuse connection. Create new ReturnableConnection");
- }
- } finally {
- lock.unlock();
- }
- return con;
- }
-
- @Override
- public void close() throws IOException {
- try {
- pool.releaseConnection(con);
- } catch (LdapException e) {
- throw new IOException("LDAP Release Connection error", e);
- }
-
- }
-
-}
diff --git a/services/security-service/src/main/java/com/epam/dlab/auth/core/SimpleConnection.java b/services/security-service/src/main/java/com/epam/dlab/auth/core/SimpleConnection.java
deleted file mode 100644
index 7afc5d7..0000000
--- a/services/security-service/src/main/java/com/epam/dlab/auth/core/SimpleConnection.java
+++ /dev/null
@@ -1,47 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package com.epam.dlab.auth.core;
-
-import org.apache.directory.ldap.client.api.LdapConnection;
-import org.apache.directory.ldap.client.api.LdapNetworkConnection;
-
-import java.io.IOException;
-
-public class SimpleConnection extends DlabLdapConnection {
-
- private final LdapNetworkConnection connection;
-
- public SimpleConnection(LdapNetworkConnection connection) {
- this.connection = connection;
- }
-
- @Override
- public LdapConnection getConnection() {
- return this.connection;
- }
-
- @Override
- public void close() throws IOException {
- if (connection != null) {
- connection.close();
- }
-
- }
-}
diff --git a/services/security-service/src/main/java/com/epam/dlab/auth/dao/LdapUserDAO.java b/services/security-service/src/main/java/com/epam/dlab/auth/dao/LdapUserDAO.java
deleted file mode 100644
index fec9433..0000000
--- a/services/security-service/src/main/java/com/epam/dlab/auth/dao/LdapUserDAO.java
+++ /dev/null
@@ -1,30 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package com.epam.dlab.auth.dao;
-
-import com.epam.dlab.auth.UserInfo;
-
-import java.util.Set;
-
-public interface LdapUserDAO {
- UserInfo getUserInfo(String username, String password);
-
- Set<String> getUserGroups(UserInfo userInfo);
-}
diff --git a/services/security-service/src/main/java/com/epam/dlab/auth/dao/LdapUserDAOImpl.java b/services/security-service/src/main/java/com/epam/dlab/auth/dao/LdapUserDAOImpl.java
deleted file mode 100644
index 3304dc5..0000000
--- a/services/security-service/src/main/java/com/epam/dlab/auth/dao/LdapUserDAOImpl.java
+++ /dev/null
@@ -1,165 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package com.epam.dlab.auth.dao;
-
-import com.epam.dlab.auth.SecurityServiceConfiguration;
-import com.epam.dlab.auth.UserInfo;
-import com.epam.dlab.auth.core.DlabLdapConnection;
-import com.epam.dlab.auth.core.DlabLdapConnectionFactory;
-import com.epam.dlab.exceptions.DlabException;
-import com.google.inject.Inject;
-import lombok.extern.slf4j.Slf4j;
-import org.apache.directory.api.ldap.model.cursor.SearchCursor;
-import org.apache.directory.api.ldap.model.entry.Attribute;
-import org.apache.directory.api.ldap.model.entry.Entry;
-import org.apache.directory.api.ldap.model.exception.LdapException;
-import org.apache.directory.api.ldap.model.message.SearchRequestImpl;
-import org.apache.directory.api.ldap.model.message.SearchResultEntry;
-import org.apache.directory.api.ldap.model.message.SearchScope;
-import org.apache.directory.api.ldap.model.name.Dn;
-import org.apache.directory.ldap.client.api.LdapConnection;
-
-import java.math.BigDecimal;
-import java.util.List;
-import java.util.Optional;
-import java.util.Set;
-import java.util.stream.Collectors;
-import java.util.stream.Stream;
-import java.util.stream.StreamSupport;
-
-@Slf4j
-public class LdapUserDAOImpl implements LdapUserDAO {
- private static final String LDAP_SEARCH_ATTRIBUTE = "$LDAP_SEARCH_ATTRIBUTE";
- private static final String COMMON_NAME_ATTRIBUTE = "cn";
- private final DlabLdapConnectionFactory connectionFactory;
- private final SecurityServiceConfiguration configuration;
-
- @Inject
- public LdapUserDAOImpl(DlabLdapConnectionFactory connectionFactory, SecurityServiceConfiguration configuration) {
- this.connectionFactory = connectionFactory;
- this.configuration = configuration;
- }
-
- @Override
- public UserInfo getUserInfo(String username, String password) {
-
- try (DlabLdapConnection connection = connectionFactory.newConnection()) {
- return getUserInfo(username, password, connection.getBoundConnection());
- } catch (Exception e) {
- log.error("Can not get user info for user {} due to: {}", username, e.getMessage());
- throw new DlabException("Can not get user info due to: " + e.getMessage(), e);
- }
- }
-
- @Override
- public Set<String> getUserGroups(UserInfo userInfo) {
- final String groupUserAttribute = userInfo.getKeys().get(configuration.getLdapGroupUserAttribute());
- try (DlabLdapConnection connection = connectionFactory.newConnection()) {
- final LdapConnection ldapConnection = connection.getBoundConnection();
- try (SearchCursor result = ldapConnection.search(getGroupSearchRequest())) {
- return StreamSupport.stream(result.spliterator(), false)
- .filter(r -> r instanceof SearchResultEntry)
- .map(r -> ((SearchResultEntry) r).getEntry())
- .flatMap(e -> groupStream(groupUserAttribute, e)).collect(Collectors.toSet());
- }
- } catch (Exception e) {
- log.error("Can not get user groups for user {} due to: {}", userInfo.getName(), e.getMessage());
- throw new DlabException("Can not get user groups due to: " + e.getMessage());
- }
- }
-
- private Stream<? extends String> groupStream(String groupUserAttribute, Entry e) {
- final Attribute groupAttribute = e.get(configuration.getLdapGroupAttribute());
- return StreamSupport.stream(groupAttribute.spliterator(), false)
- .anyMatch(v -> v.toString().equals(groupUserAttribute)) ?
- Stream.of(e.get(configuration.getLdapGroupNameAttribute()).get().toString()) :
- Stream.empty();
- }
-
- private UserInfo getUserInfo(String username, String password, LdapConnection ldapConnection) throws Exception {
- try (SearchCursor result = ldapConnection.search(getUserSearchRequest(username))) {
- return StreamSupport.stream(result.spliterator(), false)
- .filter(r -> r instanceof SearchResultEntry)
- .map(r -> ((SearchResultEntry) r).getEntry())
- .map(e -> toUserInfo(e, username))
- .peek(u -> bind(ldapConnection, u, password))
- .findAny()
- .orElseThrow(() -> new DlabException("User " + username + " not found"));
- }
- }
-
- private void bind(LdapConnection ldapConnection, UserInfo u, String password) {
- if (configuration.isUseLdapBindTemplate()) {
- final String bindTemplate = configuration.getLdapBindTemplate();
- final String ldapBindAttrName = configuration.getLdapBindAttribute();
- final String bindAttrValue = Optional.ofNullable(u.getKeys().get(ldapBindAttrName))
- .orElseThrow(() -> new DlabException("Bind attribute " + ldapBindAttrName + " is not found"));
- log.info("Biding with template: {} and attribute {} with value: {}", bindTemplate, ldapBindAttrName,
- bindAttrValue);
- try {
- ldapConnection.bind(String.format(bindTemplate, bindAttrValue), password);
- ldapConnection.unBind();
- } catch (LdapException e) {
- log.error("Can not bind user due to: {}", e.getMessage());
- throw new DlabException("Can not bind user due to: " + e.getMessage(), e);
- }
- }
- }
-
- private UserInfo toUserInfo(Entry e, String username) {
- final Dn dn = e.getDn();
- log.debug("Entry dn: {}", dn);
- final UserInfo userInfo = new UserInfo(username, null);
- e.getAttributes()
- .forEach(a -> userInfo.addKey(a.getId(), a.get().toString()));
- final String cn = userInfo.getKeys().get(COMMON_NAME_ATTRIBUTE);
- final String[] splittedCommonName = cn.split(" ");
- if (splittedCommonName.length == 2) {
- userInfo.setFirstName(splittedCommonName[0]);
- userInfo.setLastName(splittedCommonName[1]);
- }
-
- return userInfo;
- }
-
- private SearchRequestImpl getUserSearchRequest(String username) throws LdapException {
- final SearchRequestImpl searchRequest = new SearchRequestImpl();
- final Request searchRequestParams = configuration.getLdapSearchRequest();
- searchRequest.setBase(new Dn(searchRequestParams.getBase()));
- searchRequest.setFilter(searchRequestParams.getFilter().replace(LDAP_SEARCH_ATTRIBUTE, username));
- searchRequest.setScope(SearchScope.valueOf(searchRequestParams.getScope()));
- searchRequest.setTimeLimit(searchRequestParams.getTimeLimit());
- final List<String> attributes = searchRequestParams.getAttributes();
- searchRequest.addAttributes(attributes.toArray(new String[BigDecimal.ZERO.intValue()]));
- return searchRequest;
- }
-
- private SearchRequestImpl getGroupSearchRequest() throws LdapException {
- final SearchRequestImpl searchRequest = new SearchRequestImpl();
- final Request searchRequestParams = configuration.getLdapGroupSearchRequest();
- searchRequest.setBase(new Dn(searchRequestParams.getBase()));
- searchRequest.setFilter(searchRequestParams.getFilter());
- searchRequest.setScope(SearchScope.valueOf(searchRequestParams.getScope()));
- searchRequest.setTimeLimit(searchRequestParams.getTimeLimit());
- final List<String> attributes = searchRequestParams.getAttributes();
- searchRequest.addAttributes(attributes.toArray(new String[BigDecimal.ZERO.intValue()]));
- return searchRequest;
- }
-}
diff --git a/services/security-service/src/main/java/com/epam/dlab/auth/dao/Request.java b/services/security-service/src/main/java/com/epam/dlab/auth/dao/Request.java
deleted file mode 100644
index 33475f9..0000000
--- a/services/security-service/src/main/java/com/epam/dlab/auth/dao/Request.java
+++ /dev/null
@@ -1,35 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package com.epam.dlab.auth.dao;
-
-import lombok.Data;
-
-import java.util.List;
-
-@Data
-public class Request {
- private String name;
- private String scope;
- private List<String> attributes;
- private int timeLimit;
- private String base;
- private String filter = "";
- private long expirationTimeMsec = 600000;
-}
diff --git a/services/security-service/src/main/java/com/epam/dlab/auth/dao/UserInfoDAODumbImpl.java b/services/security-service/src/main/java/com/epam/dlab/auth/dao/UserInfoDAODumbImpl.java
deleted file mode 100644
index 565d4d7..0000000
--- a/services/security-service/src/main/java/com/epam/dlab/auth/dao/UserInfoDAODumbImpl.java
+++ /dev/null
@@ -1,54 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package com.epam.dlab.auth.dao;
-
-import com.epam.dlab.auth.UserInfo;
-import com.epam.dlab.auth.UserInfoDAO;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import java.util.Optional;
-
-public class UserInfoDAODumbImpl implements UserInfoDAO {
-
- private static final Logger LOG = LoggerFactory.getLogger(UserInfoDAODumbImpl.class);
-
- @Override
- public Optional<UserInfo> getUserInfoByAccessToken(String accessToken) {
- LOG.debug("UserInfo persistence find unavailable: {}",accessToken);
- return Optional.empty();
- }
-
- @Override
- public void updateUserInfoTTL(String accessToken, UserInfo ui) {
- LOG.debug("UserInfo persistence update unavailable: {} {}",accessToken,ui);
- }
-
- @Override
- public void deleteUserInfo(String accessToken) {
- LOG.debug("UserInfo persistence delete unavailable: {}",accessToken);
- }
-
- @Override
- public void saveUserInfo(UserInfo ui) {
- LOG.debug("UserInfo persistence save unavailable: {}",ui);
- }
-
-}
diff --git a/services/security-service/src/main/java/com/epam/dlab/auth/dao/UserInfoDAOMongoImpl.java b/services/security-service/src/main/java/com/epam/dlab/auth/dao/UserInfoDAOMongoImpl.java
deleted file mode 100644
index 647e46e..0000000
--- a/services/security-service/src/main/java/com/epam/dlab/auth/dao/UserInfoDAOMongoImpl.java
+++ /dev/null
@@ -1,132 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package com.epam.dlab.auth.dao;
-
-import com.epam.dlab.auth.SecurityServiceConfiguration;
-import com.epam.dlab.auth.UserInfo;
-import com.epam.dlab.auth.UserInfoDAO;
-import com.epam.dlab.mongo.MongoService;
-import com.google.inject.Inject;
-import com.google.inject.Singleton;
-import com.mongodb.BasicDBList;
-import com.mongodb.BasicDBObject;
-import com.mongodb.client.FindIterable;
-import com.mongodb.client.MongoCollection;
-import lombok.extern.slf4j.Slf4j;
-
-import java.util.Date;
-import java.util.Optional;
-
-@Singleton
-@Slf4j
-public class UserInfoDAOMongoImpl implements UserInfoDAO {
- private static final String EXPIRE_AT_COLUMN = "expireAt";
- private static final String SECURITY_COLLECTION = "security";
- private final MongoService ms;
- private final long inactiveUserTimeoutMsec;
-
- @Inject
- public UserInfoDAOMongoImpl(MongoService ms, SecurityServiceConfiguration securityServiceConfiguration) {
- this.ms = ms;
- this.inactiveUserTimeoutMsec = securityServiceConfiguration.getInactiveUserTimeoutMillSec();
- }
-
- @Override
- public Optional<UserInfo> getUserInfoByAccessToken(String accessToken) {
- BasicDBObject uiSearchDoc = new BasicDBObject();
- uiSearchDoc.put("_id", accessToken);
- MongoCollection<BasicDBObject> mc = ms.getCollection(SECURITY_COLLECTION, BasicDBObject.class);
- FindIterable<BasicDBObject> res = mc.find(uiSearchDoc);
- BasicDBObject uiDoc = res.first();
- return Optional.ofNullable(uiDoc)
- .filter(doc -> !isExpired(accessToken, doc.getDate(EXPIRE_AT_COLUMN)))
- .map(doc -> toUserInfo(accessToken, doc));
- }
-
- @Override
- public void updateUserInfoTTL(String accessToken, UserInfo ui) {
-
- BasicDBObject uiDoc = new BasicDBObject();
- uiDoc.put("_id", accessToken);
- uiDoc.put(EXPIRE_AT_COLUMN, new Date(System.currentTimeMillis()));
- MongoCollection<BasicDBObject> security = ms.getCollection(SECURITY_COLLECTION, BasicDBObject.class);
- security.updateOne(new BasicDBObject("_id", accessToken), new BasicDBObject("$set", uiDoc));
- log.debug("Updated persistent {}", accessToken);
-
- }
-
- @Override
- public void deleteUserInfo(String accessToken) {
- BasicDBObject uiDoc = new BasicDBObject();
- uiDoc.put("_id", accessToken);
- MongoCollection<BasicDBObject> security = ms.getCollection(SECURITY_COLLECTION, BasicDBObject.class);
- security.deleteOne(uiDoc);
- log.debug("Deleted persistent {}", accessToken);
- }
-
- @Override
- public void saveUserInfo(UserInfo ui) {
- BasicDBObject uiDoc = new BasicDBObject();
- uiDoc.put("_id", ui.getAccessToken());
- uiDoc.put("name", ui.getName());
- uiDoc.put("firstName", ui.getFirstName());
- uiDoc.put("lastName", ui.getLastName());
- uiDoc.put("roles", ui.getRoles());
- uiDoc.put("remoteIp", ui.getRemoteIp());
- uiDoc.put("awsUser", ui.isAwsUser());
- uiDoc.put(EXPIRE_AT_COLUMN, new Date(System.currentTimeMillis()));
- uiDoc.put("awsKeys", ui.getKeys());
- MongoCollection<BasicDBObject> security = ms.getCollection(SECURITY_COLLECTION, BasicDBObject.class);
- security.insertOne(uiDoc);
- log.debug("Saved persistent {}", ui);
-
- }
-
- private UserInfo toUserInfo(String accessToken, BasicDBObject uiDoc) {
- String name = uiDoc.get("name").toString();
- String firstName = uiDoc.getString("firstName", "");
- String lastName = uiDoc.getString("lastName", "");
- String remoteIp = uiDoc.getString("remoteIp", "");
- BasicDBList roles = (BasicDBList) uiDoc.get("roles");
- boolean awsUser = uiDoc.getBoolean("awsUser", false);
- UserInfo ui = new UserInfo(name, accessToken);
- ui.setFirstName(firstName);
- ui.setLastName(lastName);
- ui.setRemoteIp(remoteIp);
- ui.setAwsUser(awsUser);
- Object awsKeys = uiDoc.get("awsKeys");
- if (awsKeys != null) {
- ((BasicDBObject) awsKeys).forEach((key, val) -> ui.addKey(key, val.toString()));
- }
- roles.forEach(o -> ui.addRole("" + o));
- return ui;
- }
-
- private boolean isExpired(String accessToken, Date lastAccess) {
- if (inactiveUserTimeoutMsec < Math.abs(new Date().getTime() - lastAccess.getTime())) {
- log.warn("UI for {} expired but were not evicted from DB. Contact MongoDB admin to create expireable " +
- "index on 'expireAt' key.", accessToken);
- this.deleteUserInfo(accessToken);
- return true;
- }
- return false;
- }
-
-}
diff --git a/services/security-service/src/main/java/com/epam/dlab/auth/modules/AwsSecurityServiceModule.java b/services/security-service/src/main/java/com/epam/dlab/auth/modules/AwsSecurityServiceModule.java
deleted file mode 100644
index 2c1bfcd..0000000
--- a/services/security-service/src/main/java/com/epam/dlab/auth/modules/AwsSecurityServiceModule.java
+++ /dev/null
@@ -1,92 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package com.epam.dlab.auth.modules;
-
-import com.amazonaws.auth.AWSCredentials;
-import com.amazonaws.auth.AWSCredentialsProvider;
-import com.amazonaws.auth.DefaultAWSCredentialsProviderChain;
-import com.epam.dlab.auth.SecurityServiceConfiguration;
-import com.epam.dlab.auth.UserVerificationService;
-import com.epam.dlab.auth.aws.dao.AwsUserDAO;
-import com.epam.dlab.auth.aws.dao.AwsUserDAOImpl;
-import com.epam.dlab.auth.aws.service.AwsCredentialRefreshService;
-import com.epam.dlab.auth.aws.service.AwsUserVerificationService;
-import com.epam.dlab.auth.resources.SynchronousLdapAuthenticationResource;
-import com.epam.dlab.cloud.CloudModule;
-import com.google.inject.Injector;
-import com.google.inject.Provides;
-import com.google.inject.Singleton;
-import io.dropwizard.setup.Environment;
-
-public class AwsSecurityServiceModule extends CloudModule {
- private final SecurityServiceConfiguration conf;
-
- AwsSecurityServiceModule(SecurityServiceConfiguration conf) {
- this.conf = conf;
- }
-
- @Override
- protected void configure() {
- if (conf.isAwsUserIdentificationEnabled()) {
- bind(AwsUserDAO.class).to(AwsUserDAOImpl.class);
- bind(UserVerificationService.class).to(AwsUserVerificationService.class);
- } else {
- bind(UserVerificationService.class).toInstance(SecurityServiceModule.defaultUserVerificationService());
- }
- }
-
- @Override
- public void init(Environment environment, Injector injector) {
- environment.jersey().register(injector.getInstance(SynchronousLdapAuthenticationResource.class));
- if (conf.isAwsUserIdentificationEnabled()) {
- environment.lifecycle().manage(injector.getInstance(AwsCredentialRefreshService.class));
- }
- }
-
- @Provides
- @Singleton
- private AWSCredentials awsCredentials(DefaultAWSCredentialsProviderChain providerChain) {
- if (conf.isDevMode()) {
- return devAwsCredentials();
- } else {
- return providerChain.getCredentials();
- }
- }
-
- private AWSCredentials devAwsCredentials() {
- return new AWSCredentials() {
- @Override
- public String getAWSAccessKeyId() {
- return "access_key";
- }
-
- @Override
- public String getAWSSecretKey() {
- return "secret_key";
- }
- };
- }
-
- @Provides
- @Singleton
- public AWSCredentialsProvider defaultAWSCredentialsProviderChain() {
- return new DefaultAWSCredentialsProviderChain();
- }
-}
diff --git a/services/security-service/src/main/java/com/epam/dlab/auth/modules/AzureSecurityServiceModule.java b/services/security-service/src/main/java/com/epam/dlab/auth/modules/AzureSecurityServiceModule.java
deleted file mode 100644
index ef29a75..0000000
--- a/services/security-service/src/main/java/com/epam/dlab/auth/modules/AzureSecurityServiceModule.java
+++ /dev/null
@@ -1,78 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package com.epam.dlab.auth.modules;
-
-import com.epam.dlab.auth.SecurityServiceConfiguration;
-import com.epam.dlab.auth.UserInfoDAO;
-import com.epam.dlab.auth.UserVerificationService;
-import com.epam.dlab.auth.azure.AzureAuthenticationResource;
-import com.epam.dlab.auth.azure.AzureLoginUrlBuilder;
-import com.epam.dlab.auth.azure.AzureSecurityResource;
-import com.epam.dlab.auth.azure.service.AzureAuthorizationCodeService;
-import com.epam.dlab.auth.azure.service.AzureAuthorizationCodeServiceImpl;
-import com.epam.dlab.auth.conf.AzureLoginConfiguration;
-import com.epam.dlab.auth.resources.SynchronousLdapAuthenticationResource;
-import com.epam.dlab.cloud.CloudModule;
-import com.google.inject.Injector;
-import io.dropwizard.setup.Environment;
-
-import java.io.IOException;
-
-public class AzureSecurityServiceModule extends CloudModule {
- private final SecurityServiceConfiguration conf;
-
- AzureSecurityServiceModule(SecurityServiceConfiguration configuration) {
- this.conf = configuration;
- }
-
- @Override
- protected void configure() {
- bind(UserVerificationService.class).toInstance(SecurityServiceModule.defaultUserVerificationService());
- final AzureLoginConfiguration azureLoginConfiguration = conf.getAzureLoginConfiguration();
- bind(AzureLoginConfiguration.class).toInstance(azureLoginConfiguration);
- if (!azureLoginConfiguration.isUseLdap()) {
- bind(AzureLoginUrlBuilder.class).toInstance(new AzureLoginUrlBuilder(azureLoginConfiguration));
- try {
- final AzureAuthorizationCodeServiceImpl authorizationCodeService = new
- AzureAuthorizationCodeServiceImpl(azureLoginConfiguration.getAuthority() +
- azureLoginConfiguration.getTenant() + "/", azureLoginConfiguration
- .getPermissionScope(), azureLoginConfiguration.getManagementApiAuthFile(),
- azureLoginConfiguration.isValidatePermissionScope());
- bind(AzureAuthorizationCodeService.class).toInstance(authorizationCodeService);
- } catch (IOException e) {
- throw new RuntimeException(e);
- }
- }
- }
-
- @Override
- public void init(Environment environment, Injector injector) {
-
- if (conf.getAzureLoginConfiguration().isUseLdap()) {
- environment.jersey().register(injector.getInstance(SynchronousLdapAuthenticationResource.class));
- } else {
- final AzureAuthenticationResource azureAuthenticationResource = new AzureAuthenticationResource(conf,
- injector.getInstance(UserInfoDAO.class), conf.getAzureLoginConfiguration(),
- injector.getInstance(AzureAuthorizationCodeService.class));
- environment.jersey().register(azureAuthenticationResource);
- environment.jersey().register(injector.getInstance(AzureSecurityResource.class));
- }
- }
-}
diff --git a/services/security-service/src/main/java/com/epam/dlab/auth/modules/GcpSecurityServiceModule.java b/services/security-service/src/main/java/com/epam/dlab/auth/modules/GcpSecurityServiceModule.java
deleted file mode 100644
index abddab2..0000000
--- a/services/security-service/src/main/java/com/epam/dlab/auth/modules/GcpSecurityServiceModule.java
+++ /dev/null
@@ -1,94 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package com.epam.dlab.auth.modules;
-
-import com.epam.dlab.auth.SecurityServiceConfiguration;
-import com.epam.dlab.auth.UserVerificationService;
-import com.epam.dlab.auth.conf.GcpLoginConfiguration;
-import com.epam.dlab.auth.gcp.resources.GcpOauth2SecurityResource;
-import com.epam.dlab.auth.gcp.service.GcpAuthenticationService;
-import com.epam.dlab.auth.oauth2.Oauth2AuthenticationService;
-import com.epam.dlab.auth.resources.SynchronousLdapAuthenticationResource;
-import com.epam.dlab.cloud.CloudModule;
-import com.google.api.client.auth.oauth2.AuthorizationCodeFlow;
-import com.google.api.client.googleapis.auth.oauth2.GoogleAuthorizationCodeFlow;
-import com.google.api.client.http.HttpTransport;
-import com.google.api.client.http.javanet.NetHttpTransport;
-import com.google.api.client.json.jackson2.JacksonFactory;
-import com.google.common.cache.Cache;
-import com.google.common.cache.CacheBuilder;
-import com.google.inject.Injector;
-import com.google.inject.Provides;
-import com.google.inject.Singleton;
-import io.dropwizard.setup.Environment;
-
-import java.util.Arrays;
-import java.util.List;
-import java.util.concurrent.TimeUnit;
-
-public class GcpSecurityServiceModule extends CloudModule {
- private static final List<String> SCOPES = Arrays.asList("https://www.googleapis.com/auth/plus.login", "email",
- "profile", "https://www.googleapis.com/auth/plus.me");
- private final GcpLoginConfiguration conf;
-
- GcpSecurityServiceModule(SecurityServiceConfiguration conf) {
- this.conf = conf.getGcpLoginConfiguration();
- }
-
- @Override
- protected void configure() {
- if (conf.isOauth2authenticationEnabled()) {
- bind(Oauth2AuthenticationService.class).to(GcpAuthenticationService.class);
- }
- bind(GcpLoginConfiguration.class).toInstance(conf);
- bind(UserVerificationService.class).toInstance(SecurityServiceModule.defaultUserVerificationService());
- }
-
- @Override
- public void init(Environment environment, Injector injector) {
- environment.jersey().register(injector.getInstance(SynchronousLdapAuthenticationResource.class));
- if (conf.isOauth2authenticationEnabled()) {
- environment.jersey().register(injector.getInstance(GcpOauth2SecurityResource.class));
- }
- }
-
- @Provides
- @Singleton
- private Cache<String, Object> userStateCache() {
- return CacheBuilder.newBuilder().expireAfterWrite(conf.getUserStateCacheExpirationTime(), TimeUnit.HOURS)
- .maximumSize(conf.getUserStateCacheSize()).build();
- }
-
-
- @Provides
- @Singleton
- private HttpTransport httpTransport() {
- return new NetHttpTransport();
- }
-
- @Provides
- @Singleton
- private AuthorizationCodeFlow authorizationCodeFlow(HttpTransport httpTransport, JacksonFactory jacksonFactory) {
- return new GoogleAuthorizationCodeFlow.Builder(
- httpTransport, jacksonFactory, conf.getClientId(), conf.getClientSecret(), SCOPES)
- .build();
- }
-
-}
diff --git a/services/security-service/src/main/java/com/epam/dlab/auth/modules/ModuleFactory.java b/services/security-service/src/main/java/com/epam/dlab/auth/modules/ModuleFactory.java
deleted file mode 100644
index 3d14901..0000000
--- a/services/security-service/src/main/java/com/epam/dlab/auth/modules/ModuleFactory.java
+++ /dev/null
@@ -1,43 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package com.epam.dlab.auth.modules;
-
-import com.epam.dlab.auth.SecurityServiceConfiguration;
-import com.epam.dlab.cloud.CloudModule;
-
-public class ModuleFactory {
-
- private ModuleFactory() {
- }
-
- public static CloudModule getCloudProviderModule(SecurityServiceConfiguration configuration) {
- switch (configuration.getCloudProvider()) {
- case AWS:
- return new AwsSecurityServiceModule(configuration);
- case AZURE:
- return new AzureSecurityServiceModule(configuration);
- case GCP:
- return new GcpSecurityServiceModule(configuration);
- default:
- throw new UnsupportedOperationException(
- String.format("Unsupported cloud provider %s", configuration.getCloudProvider()));
- }
- }
-}
diff --git a/services/security-service/src/main/java/com/epam/dlab/auth/modules/SecurityServiceModule.java b/services/security-service/src/main/java/com/epam/dlab/auth/modules/SecurityServiceModule.java
deleted file mode 100644
index 67a6b81..0000000
--- a/services/security-service/src/main/java/com/epam/dlab/auth/modules/SecurityServiceModule.java
+++ /dev/null
@@ -1,66 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package com.epam.dlab.auth.modules;
-
-import com.epam.dlab.ModuleBase;
-import com.epam.dlab.auth.SecurityServiceConfiguration;
-import com.epam.dlab.auth.UserInfoDAO;
-import com.epam.dlab.auth.UserVerificationService;
-import com.epam.dlab.auth.dao.LdapUserDAO;
-import com.epam.dlab.auth.dao.LdapUserDAOImpl;
-import com.epam.dlab.auth.dao.UserInfoDAODumbImpl;
-import com.epam.dlab.auth.dao.UserInfoDAOMongoImpl;
-import com.epam.dlab.auth.service.AuthenticationService;
-import com.epam.dlab.auth.service.impl.LdapAuthenticationService;
-import com.epam.dlab.mongo.MongoService;
-import com.google.inject.Provides;
-import com.google.inject.Singleton;
-import io.dropwizard.setup.Environment;
-import lombok.extern.slf4j.Slf4j;
-
-@Slf4j
-public class SecurityServiceModule extends ModuleBase<SecurityServiceConfiguration> {
-
- public SecurityServiceModule(SecurityServiceConfiguration configuration, Environment environment) {
- super(configuration, environment);
- }
-
- @Override
- protected void configure() {
- bind(SecurityServiceConfiguration.class).toInstance(configuration);
- bind(LdapUserDAO.class).to(LdapUserDAOImpl.class);
- bind(AuthenticationService.class).to(LdapAuthenticationService.class);
- if (configuration.isUserInfoPersistenceEnabled()) {
- bind(UserInfoDAO.class).to(UserInfoDAOMongoImpl.class);
- } else {
- bind(UserInfoDAO.class).to(UserInfoDAODumbImpl.class);
- }
- }
-
- @Provides
- @Singleton
- private MongoService mongoService() {
- return configuration.getMongoFactory().build(environment);
- }
-
- public static UserVerificationService defaultUserVerificationService() {
- return userInfo -> log.debug("No additional user verification configured");
- }
-}
diff --git a/services/security-service/src/main/java/com/epam/dlab/auth/resources/SynchronousLdapAuthenticationResource.java b/services/security-service/src/main/java/com/epam/dlab/auth/resources/SynchronousLdapAuthenticationResource.java
deleted file mode 100644
index c926c72..0000000
--- a/services/security-service/src/main/java/com/epam/dlab/auth/resources/SynchronousLdapAuthenticationResource.java
+++ /dev/null
@@ -1,80 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package com.epam.dlab.auth.resources;
-
-import com.epam.dlab.auth.UserInfo;
-import com.epam.dlab.auth.dto.UserCredentialDTO;
-import com.epam.dlab.auth.service.AuthenticationService;
-import com.epam.dlab.rest.dto.ErrorDTO;
-import com.google.inject.Inject;
-import lombok.extern.slf4j.Slf4j;
-
-import javax.ws.rs.Consumes;
-import javax.ws.rs.POST;
-import javax.ws.rs.Path;
-import javax.ws.rs.Produces;
-import javax.ws.rs.core.MediaType;
-import javax.ws.rs.core.Response;
-
-/**
- * Used for authentication against LDAP server
- */
-@Path("/")
-@Consumes(MediaType.APPLICATION_JSON)
-@Produces(MediaType.APPLICATION_JSON)
-@Slf4j
-public class SynchronousLdapAuthenticationResource {
- private static final String INVALID_CREDENTIALS = "Username or password is invalid";
- private final AuthenticationService authenticationService;
-
- @Inject
- public SynchronousLdapAuthenticationResource(AuthenticationService authenticationService) {
- this.authenticationService = authenticationService;
- }
-
- @POST
- @Path("/login")
- public Response login(UserCredentialDTO cred) {
- log.debug("validating username:{} password:****** token:{}", cred.getUsername(), cred.getAccessToken());
- return authenticationService.login(cred)
- .map(userInfo -> Response.ok(userInfo.getAccessToken()).build())
- .orElse(unauthorizedResponse());
- }
-
- @POST
- @Path("/getuserinfo")
- public UserInfo getUserInfo(String accessToken) {
- return authenticationService.getUserInfo(accessToken).orElse(null);
- }
-
- @POST
- @Path("/logout")
- public Response logout(String accessToken) {
- authenticationService.logout(accessToken);
- return Response.ok().build();
- }
-
- private Response unauthorizedResponse() {
- return Response.status(Response.Status.UNAUTHORIZED)
- .entity(new ErrorDTO(Response.Status.UNAUTHORIZED.getStatusCode(), INVALID_CREDENTIALS))
- .type(MediaType.APPLICATION_JSON)
- .build();
- }
-}
diff --git a/services/security-service/src/main/java/com/epam/dlab/auth/service/AuthenticationService.java b/services/security-service/src/main/java/com/epam/dlab/auth/service/AuthenticationService.java
deleted file mode 100644
index a97f804..0000000
--- a/services/security-service/src/main/java/com/epam/dlab/auth/service/AuthenticationService.java
+++ /dev/null
@@ -1,34 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package com.epam.dlab.auth.service;
-
-import com.epam.dlab.auth.UserInfo;
-import com.epam.dlab.auth.dto.UserCredentialDTO;
-
-import java.util.Optional;
-
-public interface AuthenticationService {
-
- Optional<UserInfo> getUserInfo(String token);
-
- Optional<UserInfo> login(UserCredentialDTO credentialDTO);
-
- void logout(String token);
-}
diff --git a/services/security-service/src/main/java/com/epam/dlab/auth/service/impl/LdapAuthenticationService.java b/services/security-service/src/main/java/com/epam/dlab/auth/service/impl/LdapAuthenticationService.java
deleted file mode 100644
index b324cad..0000000
--- a/services/security-service/src/main/java/com/epam/dlab/auth/service/impl/LdapAuthenticationService.java
+++ /dev/null
@@ -1,89 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package com.epam.dlab.auth.service.impl;
-
-import com.epam.dlab.auth.UserInfo;
-import com.epam.dlab.auth.UserInfoDAO;
-import com.epam.dlab.auth.UserVerificationService;
-import com.epam.dlab.auth.dao.LdapUserDAO;
-import com.epam.dlab.auth.dto.UserCredentialDTO;
-import com.epam.dlab.auth.service.AuthenticationService;
-import com.epam.dlab.exceptions.DlabAuthenticationException;
-import com.google.inject.Inject;
-import com.google.inject.Singleton;
-import lombok.extern.slf4j.Slf4j;
-import org.apache.commons.lang3.StringUtils;
-
-import java.util.Optional;
-
-import static com.epam.dlab.auth.rest.AbstractAuthenticationService.getRandomToken;
-
-@Singleton
-@Slf4j
-public class LdapAuthenticationService implements AuthenticationService {
- private final UserInfoDAO userInfoDAO;
- private final LdapUserDAO ldapUserDAO;
- private final UserVerificationService verificationService;
-
- @Inject
- public LdapAuthenticationService(UserInfoDAO userInfoDAO, LdapUserDAO ldapUserDAO,
- UserVerificationService verificationService) {
- this.userInfoDAO = userInfoDAO;
- this.ldapUserDAO = ldapUserDAO;
- this.verificationService = verificationService;
- }
-
- @Override
- public Optional<UserInfo> getUserInfo(String token) {
- return userInfoDAO.getUserInfoByAccessToken(token)
- .map(userInfo -> touchedUser(token, userInfo));
- }
-
- @Override
- public Optional<UserInfo> login(UserCredentialDTO credentialDTO) {
- try {
- final String token = credentialDTO.getAccessToken();
- return StringUtils.isNoneBlank(token) ? getUserInfo(token) : getLdapUserInfo(credentialDTO);
- } catch (Exception e) {
- log.error("Error occurred during login for user {}: {}", credentialDTO.getUsername(), e.getMessage());
- throw new DlabAuthenticationException("Username or password is invalid");
- }
- }
-
- @Override
- public void logout(String token) {
- userInfoDAO.deleteUserInfo(token);
- }
-
- private Optional<UserInfo> getLdapUserInfo(UserCredentialDTO credentialDTO) {
- final UserInfo user = ldapUserDAO.getUserInfo(credentialDTO.getUsername(), credentialDTO.getPassword());
- user.addRoles(ldapUserDAO.getUserGroups(user));
- verificationService.verify(user);
- final String token = getRandomToken();
- final UserInfo userWithToken = user.withToken(token);
- userInfoDAO.saveUserInfo(userWithToken);
- return Optional.of(userWithToken);
- }
-
- private UserInfo touchedUser(String token, UserInfo userInfo) {
- userInfoDAO.updateUserInfoTTL(token, userInfo);
- return userInfo.withToken(token);
- }
-}
diff --git a/services/security-service/src/main/resources/banner.txt b/services/security-service/src/main/resources/banner.txt
deleted file mode 100644
index 0b30daf..0000000
--- a/services/security-service/src/main/resources/banner.txt
+++ /dev/null
@@ -1,6 +0,0 @@
- _________ .__ __ _________ .__
- / _____/ ____ ____ __ _________|__|/ |_ ___.__. / _____/ ______________ _|__| ____ ____
- \_____ \_/ __ \_/ ___\| | \_ __ \ \ __< | | \_____ \_/ __ \_ __ \ \/ / |/ ___\/ __ \
- / \ ___/\ \___| | /| | \/ || | \___ | / \ ___/| | \/\ /| \ \__\ ___/
-/_______ /\___ >\___ >____/ |__| |__||__| / ____| /_______ /\___ >__| \_/ |__|\___ >___ >
- \/ \/ \/ \/ \/ \/ \/ \/
\ No newline at end of file
diff --git a/services/security-service/src/test/java/com/epam/dlab/auth/service/impl/LdapAuthenticationServiceTest.java b/services/security-service/src/test/java/com/epam/dlab/auth/service/impl/LdapAuthenticationServiceTest.java
deleted file mode 100644
index 4fb56c3..0000000
--- a/services/security-service/src/test/java/com/epam/dlab/auth/service/impl/LdapAuthenticationServiceTest.java
+++ /dev/null
@@ -1,139 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package com.epam.dlab.auth.service.impl;
-
-import com.epam.dlab.auth.UserInfo;
-import com.epam.dlab.auth.UserInfoDAO;
-import com.epam.dlab.auth.UserVerificationService;
-import com.epam.dlab.auth.dao.LdapUserDAO;
-import com.epam.dlab.auth.dto.UserCredentialDTO;
-import org.junit.Test;
-import org.junit.runner.RunWith;
-import org.mockito.InjectMocks;
-import org.mockito.Mock;
-import org.mockito.runners.MockitoJUnitRunner;
-
-import java.util.Optional;
-
-import static org.junit.Assert.*;
-import static org.mockito.Matchers.anyString;
-import static org.mockito.Matchers.eq;
-import static org.mockito.Matchers.refEq;
-import static org.mockito.Mockito.*;
-
-@RunWith(MockitoJUnitRunner.class)
-public class LdapAuthenticationServiceTest {
-
- private static final String TOKEN = "token123";
- private static final String USER = "user";
- private static final String PASSWORD = "password";
- @Mock
- private LdapUserDAO ldapUserDAO;
- @Mock
- private UserInfoDAO userInfoDAO;
- @Mock
- private UserVerificationService verificationService;
- @InjectMocks
- private LdapAuthenticationService ldapAuthenticationService;
-
- @Test
- public void getUserInfo() {
-
- when(userInfoDAO.getUserInfoByAccessToken(anyString())).thenReturn(Optional.of(userInfo()));
- final Optional<UserInfo> userInfo = ldapAuthenticationService.getUserInfo(TOKEN);
-
- assertTrue(userInfo.isPresent());
- assertEquals(USER.toLowerCase(), userInfo.get().getName());
- assertEquals(TOKEN, userInfo.get().getAccessToken());
-
- verify(userInfoDAO).getUserInfoByAccessToken(TOKEN);
- verify(userInfoDAO).updateUserInfoTTL(eq(TOKEN), refEq(userInfo()));
- verifyNoMoreInteractions(userInfoDAO);
- }
-
- @Test
- public void getUserInfoWhenUserNotFound() {
-
- when(userInfoDAO.getUserInfoByAccessToken(anyString())).thenReturn(Optional.empty());
- final Optional<UserInfo> userInfo = ldapAuthenticationService.getUserInfo(TOKEN);
-
- assertFalse(userInfo.isPresent());
-
- verify(userInfoDAO).getUserInfoByAccessToken(TOKEN);
- verifyNoMoreInteractions(userInfoDAO);
- }
-
- @Test
- public void loginWithoutAccessToken() {
-
- when(ldapUserDAO.getUserInfo(anyString(), anyString())).thenReturn(userInfo());
- final Optional<UserInfo> userInfo = ldapAuthenticationService.login(getCredentialDTO());
-
- assertTrue(userInfo.isPresent());
- assertEquals(USER, userInfo.get().getName());
- assertNotNull(userInfo.get().getAccessToken());
-
- verify(verificationService).verify(refEq(userInfo()));
- verify(ldapUserDAO).getUserInfo(USER, PASSWORD);
- verify(ldapUserDAO).getUserGroups(refEq(userInfo()));
- verify(userInfoDAO).saveUserInfo(refEq(userInfo().withToken(TOKEN), "accessToken"));
- verifyNoMoreInteractions(ldapUserDAO, userInfoDAO);
- }
-
- @Test
- public void loginWithAccessToken() {
-
- when(userInfoDAO.getUserInfoByAccessToken(anyString())).thenReturn(Optional.of(userInfo()));
- final UserCredentialDTO credentialDTO = getCredentialDTO();
- credentialDTO.setAccessToken(TOKEN);
- final Optional<UserInfo> userInfo = ldapAuthenticationService.login(credentialDTO);
-
- assertTrue(userInfo.isPresent());
- assertEquals(USER, userInfo.get().getName());
- assertNotNull(userInfo.get().getAccessToken());
-
- verify(userInfoDAO).getUserInfoByAccessToken(TOKEN);
- verify(userInfoDAO).updateUserInfoTTL(eq(TOKEN), refEq(userInfo()));
- verifyNoMoreInteractions(userInfoDAO);
- verifyZeroInteractions(ldapUserDAO, verificationService);
- }
-
- @Test
- public void logout() {
-
- ldapAuthenticationService.logout(TOKEN);
-
- verify(userInfoDAO).deleteUserInfo(TOKEN);
- verifyNoMoreInteractions(userInfoDAO);
- verifyZeroInteractions(ldapUserDAO);
- }
-
- private UserInfo userInfo() {
- return new UserInfo(USER, null);
- }
-
- private UserCredentialDTO getCredentialDTO() {
- final UserCredentialDTO dto = new UserCredentialDTO();
- dto.setUsername(USER);
- dto.setPassword(PASSWORD);
- return dto;
- }
-
-}
\ No newline at end of file
diff --git a/services/self-service/pom.xml b/services/self-service/pom.xml
index 5521958..961db9b 100644
--- a/services/self-service/pom.xml
+++ b/services/self-service/pom.xml
@@ -45,6 +45,12 @@
<dependencies>
<dependency>
+ <groupId>de.ahus1.keycloak.dropwizard</groupId>
+ <artifactId>keycloak-dropwizard</artifactId>
+ <version>1.1.1</version>
+ </dependency>
+
+ <dependency>
<groupId>com.novemberain</groupId>
<artifactId>quartz-mongodb</artifactId>
<version>2.1.0</version>
diff --git a/services/self-service/src/main/java/com/epam/dlab/backendapi/DropwizardBearerTokenFilterImpl.java b/services/self-service/src/main/java/com/epam/dlab/backendapi/DropwizardBearerTokenFilterImpl.java
new file mode 100644
index 0000000..9be4251
--- /dev/null
+++ b/services/self-service/src/main/java/com/epam/dlab/backendapi/DropwizardBearerTokenFilterImpl.java
@@ -0,0 +1,20 @@
+package com.epam.dlab.backendapi;
+
+import org.keycloak.adapters.AdapterDeploymentContext;
+import org.keycloak.adapters.KeycloakDeployment;
+import org.keycloak.adapters.NodesRegistrationManagement;
+import org.keycloak.jaxrs.JaxrsBearerTokenFilterImpl;
+
+import javax.annotation.Priority;
+import javax.ws.rs.Priorities;
+import javax.ws.rs.container.PreMatching;
+
+@PreMatching
+@Priority(Priorities.AUTHENTICATION)
+public class DropwizardBearerTokenFilterImpl extends JaxrsBearerTokenFilterImpl {
+
+ public DropwizardBearerTokenFilterImpl(KeycloakDeployment keycloakDeployment) {
+ deploymentContext = new AdapterDeploymentContext(keycloakDeployment);
+ nodesRegistrationManagement = new NodesRegistrationManagement();
+ }
+}
\ No newline at end of file
diff --git a/services/self-service/src/main/java/com/epam/dlab/backendapi/SelfServiceApplication.java b/services/self-service/src/main/java/com/epam/dlab/backendapi/SelfServiceApplication.java
index 979464f..9fbcd75 100644
--- a/services/self-service/src/main/java/com/epam/dlab/backendapi/SelfServiceApplication.java
+++ b/services/self-service/src/main/java/com/epam/dlab/backendapi/SelfServiceApplication.java
@@ -19,6 +19,7 @@
package com.epam.dlab.backendapi;
+import com.epam.dlab.auth.UserInfo;
import com.epam.dlab.backendapi.dao.IndexCreator;
import com.epam.dlab.backendapi.domain.EnvStatusListener;
import com.epam.dlab.backendapi.domain.ExploratoryLibCache;
@@ -42,10 +43,15 @@ import com.google.inject.Guice;
import com.google.inject.Injector;
import com.google.inject.Key;
import com.google.inject.name.Names;
+import de.ahus1.keycloak.dropwizard.AbstractKeycloakAuthenticator;
+import de.ahus1.keycloak.dropwizard.KeycloakBundle;
+import de.ahus1.keycloak.dropwizard.KeycloakConfiguration;
import de.thomaskrille.dropwizard_template_config.TemplateConfigBundle;
import de.thomaskrille.dropwizard_template_config.TemplateConfigBundleConfiguration;
import io.dropwizard.Application;
import io.dropwizard.assets.AssetsBundle;
+import io.dropwizard.auth.Authenticator;
+import io.dropwizard.auth.Authorizer;
import io.dropwizard.forms.MultiPartBundle;
import io.dropwizard.jersey.setup.JerseyEnvironment;
import io.dropwizard.jetty.BiDiGzipHandler;
@@ -57,8 +63,12 @@ import lombok.extern.slf4j.Slf4j;
import org.eclipse.jetty.server.Handler;
import org.eclipse.jetty.server.Server;
import org.eclipse.jetty.server.handler.HandlerWrapper;
+import org.keycloak.KeycloakSecurityContext;
+import org.keycloak.representations.AccessToken;
import javax.servlet.DispatcherType;
+import javax.servlet.http.HttpServletRequest;
+import java.security.Principal;
import java.util.EnumSet;
/**
@@ -98,6 +108,45 @@ public class SelfServiceApplication extends Application<SelfServiceApplicationCo
return configuration.getSwaggerConfiguration();
}
});
+
+ bootstrap.addBundle(new KeycloakBundle<SelfServiceApplicationConfiguration>() {
+ @Override
+ protected KeycloakConfiguration getKeycloakConfiguration(SelfServiceApplicationConfiguration configuration) {
+ return configuration.getKeycloakConfiguration();
+ }
+
+ @Override
+ protected Class<? extends Principal> getUserClass() {
+ return UserInfo.class;
+ }
+
+ @Override
+ protected Authorizer createAuthorizer() {
+ return (Authorizer<UserInfo>) (principal, role) -> principal.getRoles().contains(role);
+ }
+
+ @Override
+ protected Authenticator createAuthenticator(KeycloakConfiguration configuration) {
+ class KeycloakAuthenticator extends AbstractKeycloakAuthenticator<UserInfo> {
+
+ private KeycloakAuthenticator(KeycloakConfiguration keycloakConfiguration) {
+ super(keycloakConfiguration);
+ }
+
+ @Override
+ protected UserInfo prepareAuthentication(KeycloakSecurityContext keycloakSecurityContext,
+ HttpServletRequest httpServletRequest,
+ KeycloakConfiguration keycloakConfiguration) {
+ final AccessToken token = keycloakSecurityContext.getToken();
+ final UserInfo userInfo = new UserInfo(token.getPreferredUsername(),
+ keycloakSecurityContext.getIdTokenString());
+ userInfo.addRoles(token.getResourceAccess(keycloakConfiguration.getResource()).getRoles());
+ return userInfo;
+ }
+ }
+ return new KeycloakAuthenticator(configuration);
+ }
+ });
}
@Override
@@ -133,6 +182,7 @@ public class SelfServiceApplication extends Application<SelfServiceApplicationCo
JerseyEnvironment jersey = environment.jersey();
+
jersey.register(new RuntimeExceptionMapper());
jersey.register(new JsonProcessingExceptionMapper());
jersey.register(new ResourceConflictExceptionMapper());
diff --git a/services/self-service/src/main/java/com/epam/dlab/backendapi/SelfServiceApplicationConfiguration.java b/services/self-service/src/main/java/com/epam/dlab/backendapi/SelfServiceApplicationConfiguration.java
index 6499b67..c21c3eb 100644
--- a/services/self-service/src/main/java/com/epam/dlab/backendapi/SelfServiceApplicationConfiguration.java
+++ b/services/self-service/src/main/java/com/epam/dlab/backendapi/SelfServiceApplicationConfiguration.java
@@ -28,16 +28,20 @@ import com.epam.dlab.validation.AwsValidation;
import com.epam.dlab.validation.AzureValidation;
import com.epam.dlab.validation.GcpValidation;
import com.fasterxml.jackson.annotation.JsonProperty;
+import de.ahus1.keycloak.dropwizard.KeycloakConfiguration;
import io.dropwizard.client.JerseyClientConfiguration;
import io.dropwizard.util.Duration;
import io.federecio.dropwizard.swagger.SwaggerBundleConfiguration;
import org.hibernate.validator.constraints.NotEmpty;
import org.hibernate.validator.group.GroupSequenceProvider;
+import org.keycloak.representations.adapters.config.AdapterConfig;
import javax.validation.Valid;
import javax.validation.constraints.Max;
import javax.validation.constraints.Min;
import javax.validation.constraints.NotNull;
+import java.security.KeyFactory;
+import java.security.NoSuchAlgorithmException;
import java.util.Map;
/**
@@ -125,6 +129,8 @@ public class SelfServiceApplicationConfiguration extends ServiceConfiguration {
@NotNull
private Map<String, String> guacamole;
+ private KeycloakConfiguration keycloakConfiguration = new KeycloakConfiguration();
+
public Map<String, String> getGuacamole() {
return guacamole;
}
@@ -257,4 +263,12 @@ public class SelfServiceApplicationConfiguration extends ServiceConfiguration {
public RESTServiceFactory getMavenApiFactory() {
return mavenApiFactory;
}
+
+ public KeycloakConfiguration getKeycloakConfiguration() {
+ return keycloakConfiguration;
+ }
+
+ public static void main(String[] args) throws NoSuchAlgorithmException {
+ KeyFactory kf = KeyFactory.getInstance("ECDSA");
+ }
}
diff --git a/services/self-service/src/main/java/com/epam/dlab/backendapi/auth/SelfServiceSecurityAuthenticator.java b/services/self-service/src/main/java/com/epam/dlab/backendapi/auth/SelfServiceSecurityAuthenticator.java
deleted file mode 100644
index 9399399..0000000
--- a/services/self-service/src/main/java/com/epam/dlab/backendapi/auth/SelfServiceSecurityAuthenticator.java
+++ /dev/null
@@ -1,55 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package com.epam.dlab.backendapi.auth;
-
-import com.epam.dlab.auth.SecurityRestAuthenticator;
-import com.epam.dlab.auth.UserInfo;
-import com.epam.dlab.backendapi.domain.EnvStatusListener;
-import com.google.inject.Inject;
-import com.google.inject.Singleton;
-import io.dropwizard.auth.AuthenticationException;
-import lombok.extern.slf4j.Slf4j;
-
-import java.util.Optional;
-
-@Slf4j
-@Singleton
-public class SelfServiceSecurityAuthenticator extends SecurityRestAuthenticator {
- private final EnvStatusListener envStatusListener;
-
- @Inject
- public SelfServiceSecurityAuthenticator(EnvStatusListener envStatusListener) {
- this.envStatusListener = envStatusListener;
- }
-
- @Override
- public Optional<UserInfo> authenticate(String credentials) throws AuthenticationException {
- Optional<UserInfo> userInfo = super.authenticate(credentials);
- userInfo.ifPresent(ui -> {
- // Touch session
- UserInfo touched = envStatusListener.getSession(ui.getName());
- if (touched == null) {
- log.warn("Session does not exist for for env status listener {} {}",
- ui.getName(), ui.getAccessToken());
- }
- });
- return userInfo;
- }
-}
diff --git a/services/self-service/src/main/java/com/epam/dlab/backendapi/modules/AwsSelfServiceModule.java b/services/self-service/src/main/java/com/epam/dlab/backendapi/modules/AwsSelfServiceModule.java
index d80e9fb..ea43416 100644
--- a/services/self-service/src/main/java/com/epam/dlab/backendapi/modules/AwsSelfServiceModule.java
+++ b/services/self-service/src/main/java/com/epam/dlab/backendapi/modules/AwsSelfServiceModule.java
@@ -19,11 +19,9 @@
package com.epam.dlab.backendapi.modules;
-import com.epam.dlab.auth.SecurityFactory;
import com.epam.dlab.backendapi.SelfServiceApplication;
import com.epam.dlab.backendapi.SelfServiceApplicationConfiguration;
import com.epam.dlab.backendapi.annotation.BudgetLimited;
-import com.epam.dlab.backendapi.auth.SelfServiceSecurityAuthenticator;
import com.epam.dlab.backendapi.dao.BillingDAO;
import com.epam.dlab.backendapi.dao.KeyDAO;
import com.epam.dlab.backendapi.dao.aws.AwsBillingDAO;
@@ -45,7 +43,6 @@ import com.fiestacabin.dropwizard.quartz.SchedulerConfiguration;
import com.google.inject.Injector;
import com.google.inject.Provides;
import com.google.inject.Singleton;
-import io.dropwizard.auth.Authorizer;
import io.dropwizard.setup.Environment;
import org.quartz.Scheduler;
import org.quartz.SchedulerException;
@@ -81,8 +78,8 @@ public class AwsSelfServiceModule extends CloudModule {
environment.jersey().register(injector.getInstance(ComputationalResourceAws.class));
environment.jersey().register(injector.getInstance(BillingResourceAws.class));
- injector.getInstance(SecurityFactory.class).configure(injector, environment,
- SelfServiceSecurityAuthenticator.class, injector.getInstance(Authorizer.class));
+ /*injector.getInstance(SecurityFactory.class).configure(injector, environment,
+ SelfServiceSecurityAuthenticator.class, injector.getInstance(Authorizer.class));*/
}
diff --git a/services/self-service/src/main/java/com/epam/dlab/backendapi/modules/AzureSelfServiceModule.java b/services/self-service/src/main/java/com/epam/dlab/backendapi/modules/AzureSelfServiceModule.java
index c59c3d2..a091e2c 100644
--- a/services/self-service/src/main/java/com/epam/dlab/backendapi/modules/AzureSelfServiceModule.java
+++ b/services/self-service/src/main/java/com/epam/dlab/backendapi/modules/AzureSelfServiceModule.java
@@ -19,19 +19,14 @@
package com.epam.dlab.backendapi.modules;
-import com.epam.dlab.auth.SecurityFactory;
-import com.epam.dlab.auth.rest.UserSessionDurationAuthorizer;
import com.epam.dlab.backendapi.SelfServiceApplication;
import com.epam.dlab.backendapi.SelfServiceApplicationConfiguration;
import com.epam.dlab.backendapi.annotation.BudgetLimited;
-import com.epam.dlab.backendapi.auth.SelfServiceSecurityAuthenticator;
import com.epam.dlab.backendapi.dao.BillingDAO;
import com.epam.dlab.backendapi.dao.KeyDAO;
import com.epam.dlab.backendapi.dao.azure.AzureBillingDAO;
import com.epam.dlab.backendapi.dao.azure.AzureKeyDao;
import com.epam.dlab.backendapi.interceptor.BudgetLimitInterceptor;
-import com.epam.dlab.backendapi.resources.SecurityResource;
-import com.epam.dlab.backendapi.resources.azure.AzureOauthResource;
import com.epam.dlab.backendapi.resources.azure.BillingResourceAzure;
import com.epam.dlab.backendapi.resources.azure.ComputationalResourceAzure;
import com.epam.dlab.backendapi.resources.callback.azure.EdgeCallbackAzure;
@@ -48,7 +43,6 @@ import com.fiestacabin.dropwizard.quartz.SchedulerConfiguration;
import com.google.inject.Injector;
import com.google.inject.Provides;
import com.google.inject.Singleton;
-import io.dropwizard.auth.Authorizer;
import io.dropwizard.setup.Environment;
import lombok.extern.slf4j.Slf4j;
import org.quartz.Scheduler;
@@ -93,18 +87,6 @@ public class AzureSelfServiceModule extends CloudModule {
environment.jersey().register(injector.getInstance(ComputationalResourceAzure.class));
environment.jersey().register(injector.getInstance(BillingResourceAzure.class));
- if (!useLdap) {
- environment.jersey().register(injector.getInstance(AzureOauthResource.class));
- injector.getInstance(SecurityFactory.class).configure(injector, environment,
- SelfServiceSecurityAuthenticator.class,
- new UserSessionDurationAuthorizer(ui ->
- injector.getInstance(SecurityResource.class).userLogout(ui),
- maxSessionDurabilityMilliseconds));
- }
-
- injector.getInstance(SecurityFactory.class).configure(injector, environment,
- SelfServiceSecurityAuthenticator.class, injector.getInstance(Authorizer.class));
-
}
@Provides
diff --git a/services/self-service/src/main/java/com/epam/dlab/backendapi/modules/DevModule.java b/services/self-service/src/main/java/com/epam/dlab/backendapi/modules/DevModule.java
index bd4a5ab..c8db053 100644
--- a/services/self-service/src/main/java/com/epam/dlab/backendapi/modules/DevModule.java
+++ b/services/self-service/src/main/java/com/epam/dlab/backendapi/modules/DevModule.java
@@ -66,8 +66,8 @@ public class DevModule extends ModuleBase<SelfServiceApplicationConfiguration> i
protected void configure() {
bind(SelfServiceApplicationConfiguration.class).toInstance(configuration);
bind(MongoService.class).toInstance(configuration.getMongoFactory().build(environment));
- bind(RESTService.class).annotatedWith(Names.named(ServiceConsts.SECURITY_SERVICE_NAME))
- .toInstance(createAuthenticationService());
+ /*bind(RESTService.class).annotatedWith(Names.named(ServiceConsts.SECURITY_SERVICE_NAME))
+ .toInstance(createAuthenticationService());*/
bind(RESTService.class).annotatedWith(Names.named(ServiceConsts.PROVISIONING_SERVICE_NAME))
.toInstance(configuration.getProvisioningFactory()
.build(environment, ServiceConsts.PROVISIONING_SERVICE_NAME));
diff --git a/services/self-service/src/main/java/com/epam/dlab/backendapi/modules/GcpSelfServiceModule.java b/services/self-service/src/main/java/com/epam/dlab/backendapi/modules/GcpSelfServiceModule.java
index 70dae00..49b7c3d 100644
--- a/services/self-service/src/main/java/com/epam/dlab/backendapi/modules/GcpSelfServiceModule.java
+++ b/services/self-service/src/main/java/com/epam/dlab/backendapi/modules/GcpSelfServiceModule.java
@@ -19,10 +19,8 @@
package com.epam.dlab.backendapi.modules;
-import com.epam.dlab.auth.SecurityFactory;
import com.epam.dlab.backendapi.SelfServiceApplication;
import com.epam.dlab.backendapi.SelfServiceApplicationConfiguration;
-import com.epam.dlab.backendapi.auth.SelfServiceSecurityAuthenticator;
import com.epam.dlab.backendapi.dao.BillingDAO;
import com.epam.dlab.backendapi.dao.KeyDAO;
import com.epam.dlab.backendapi.dao.gcp.GcpBillingDao;
@@ -41,7 +39,6 @@ import com.fiestacabin.dropwizard.quartz.SchedulerConfiguration;
import com.google.inject.Injector;
import com.google.inject.Provides;
import com.google.inject.Singleton;
-import io.dropwizard.auth.Authorizer;
import io.dropwizard.setup.Environment;
import org.quartz.Scheduler;
import org.quartz.SchedulerException;
@@ -57,14 +54,12 @@ public class GcpSelfServiceModule extends CloudModule {
@SuppressWarnings("unchecked")
public void init(Environment environment, Injector injector) {
- environment.jersey().register(injector.getInstance(EdgeCallbackGcp.class));
+ /*environment.jersey().register(injector.getInstance(EdgeCallbackGcp.class));
environment.jersey().register(injector.getInstance(KeyUploaderCallbackGcp.class));
environment.jersey().register(injector.getInstance(ComputationalResourceGcp.class));
if (injector.getInstance(SelfServiceApplicationConfiguration.class).isGcpOuauth2AuthenticationEnabled()) {
environment.jersey().register(injector.getInstance(GcpOauthResource.class));
- }
- injector.getInstance(SecurityFactory.class).configure(injector, environment,
- SelfServiceSecurityAuthenticator.class, injector.getInstance(Authorizer.class));
+ }*/
}
diff --git a/services/self-service/src/main/java/com/epam/dlab/backendapi/resources/SecurityResource.java b/services/self-service/src/main/java/com/epam/dlab/backendapi/resources/SecurityResource.java
index d996558..1396fbd 100644
--- a/services/self-service/src/main/java/com/epam/dlab/backendapi/resources/SecurityResource.java
+++ b/services/self-service/src/main/java/com/epam/dlab/backendapi/resources/SecurityResource.java
@@ -65,10 +65,10 @@ public class SecurityResource implements SecurityAPI {
private SelfServiceApplicationConfiguration configuration;
@Inject
- public SecurityResource(SecurityDAO dao, @Named(ServiceConsts.SECURITY_SERVICE_NAME) RESTService securityService,
+ public SecurityResource(SecurityDAO dao,
EnvStatusListener envStatusListener, SelfServiceApplicationConfiguration configuration) {
this.dao = dao;
- this.securityService = securityService;
+ this.securityService = null;
this.envStatusListener = envStatusListener;
this.configuration = configuration;
}
diff --git a/services/self-service/src/main/java/com/epam/dlab/backendapi/servlet/guacamole/GuacamoleSecurityFilter.java b/services/self-service/src/main/java/com/epam/dlab/backendapi/servlet/guacamole/GuacamoleSecurityFilter.java
index 4545ed7..e5b0cc2 100644
--- a/services/self-service/src/main/java/com/epam/dlab/backendapi/servlet/guacamole/GuacamoleSecurityFilter.java
+++ b/services/self-service/src/main/java/com/epam/dlab/backendapi/servlet/guacamole/GuacamoleSecurityFilter.java
@@ -1,27 +1,18 @@
package com.epam.dlab.backendapi.servlet.guacamole;
-import com.epam.dlab.auth.UserInfo;
-import com.epam.dlab.backendapi.auth.SelfServiceSecurityAuthenticator;
import com.google.inject.Inject;
-import io.dropwizard.auth.AuthenticationException;
import lombok.extern.slf4j.Slf4j;
-import org.apache.commons.lang3.StringUtils;
import javax.servlet.*;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import javax.ws.rs.core.HttpHeaders;
import java.io.IOException;
-import java.util.Optional;
@Slf4j
public class GuacamoleSecurityFilter implements Filter {
private static final String AUTH_HEADER_PREFIX = "Bearer ";
- private final SelfServiceSecurityAuthenticator authenticator;
@Inject
- public GuacamoleSecurityFilter(SelfServiceSecurityAuthenticator authenticator) {
- this.authenticator = authenticator;
+ public GuacamoleSecurityFilter() {
+
}
@Override
@@ -31,7 +22,7 @@ public class GuacamoleSecurityFilter implements Filter {
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
- HttpServletRequest request = (HttpServletRequest) servletRequest;
+ /*HttpServletRequest request = (HttpServletRequest) servletRequest;
HttpServletResponse response = (HttpServletResponse) servletResponse;
final String authorization = request.getHeader(HttpHeaders.AUTHORIZATION);
try {
@@ -45,7 +36,8 @@ public class GuacamoleSecurityFilter implements Filter {
}
} catch (AuthenticationException e) {
log.error("Authentication error occurred: {}", e.getMessage());
- }
+ }*/
+ filterChain.doFilter(servletRequest, servletResponse);
}
diff --git a/services/self-service/src/test/java/com/epam/dlab/backendapi/resources/SecurityResourceTest.java b/services/self-service/src/test/java/com/epam/dlab/backendapi/resources/SecurityResourceTest.java
index 967c05e..2663bcf 100644
--- a/services/self-service/src/test/java/com/epam/dlab/backendapi/resources/SecurityResourceTest.java
+++ b/services/self-service/src/test/java/com/epam/dlab/backendapi/resources/SecurityResourceTest.java
@@ -54,7 +54,7 @@ public class SecurityResourceTest extends TestBase {
@Rule
public final ResourceTestRule resources = getResourceTestRuleInstance(
- new SecurityResource(securityDAO, securityService, envStatusListener, configuration));
+ new SecurityResource(securityDAO, envStatusListener, configuration));
@Before
public void setup() throws AuthenticationException {
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@dlab.apache.org
For additional commands, e-mail: commits-help@dlab.apache.org