[Gepardec/mega#735] OIDC config for google service account

Gepardec · Sep 23, 2024 · 37b5883 · 37b5883
1 parent 12f8fce
commit 37b5883
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 2 deletions.
diff --git a/src/main/java/com/gepardec/mega/rest/api/MailResource.java b/src/main/java/com/gepardec/mega/rest/api/MailResource.java
@@ -21,7 +21,7 @@
 import java.time.LocalDateTime;
 
 @Path("/mail")
-//@Tenant("mega-cron")
+@Tenant("mega-cron")
 @Tag(name = "MailResource")
 @Produces(MediaType.APPLICATION_JSON)
 //@SecurityRequirement(name = "mega-cron")
@@ -67,6 +67,7 @@ public interface MailResource {
     @GET
     LocalDateTime ping();
 
+    @Tenant("google")
     @Path("/ping")
     @POST
     LocalDateTime postPing(@Context HttpHeaders headers);

diff --git a/src/main/java/com/gepardec/mega/rest/impl/MailResourceImpl.java b/src/main/java/com/gepardec/mega/rest/impl/MailResourceImpl.java
@@ -1,13 +1,16 @@
 package com.gepardec.mega.rest.impl;
 
+import com.gepardec.mega.application.exception.UnauthorizedException;
 import com.gepardec.mega.notification.mail.ReminderEmailSender;
 import com.gepardec.mega.notification.mail.receiver.MailReceiver;
 import com.gepardec.mega.rest.api.MailResource;
-import jakarta.annotation.security.RolesAllowed;
 import jakarta.enterprise.context.RequestScoped;
 import jakarta.inject.Inject;
 import jakarta.ws.rs.core.HttpHeaders;
 import jakarta.ws.rs.core.Response;
+import org.eclipse.microprofile.jwt.Claim;
+import org.eclipse.microprofile.jwt.ClaimValue;
+import org.eclipse.microprofile.jwt.Claims;
 import org.slf4j.Logger;
 
 import java.time.LocalDateTime;
@@ -67,10 +70,19 @@ public LocalDateTime ping() {
         return LocalDateTime.now();
     }
 
+    @Inject
+    @Claim(standard = Claims.email)
+    ClaimValue<String> email;
+
     @Override
     public LocalDateTime postPing(HttpHeaders httpHeaders) {
         logger.info("Received POST request");
         logger.info("Headers: {}", httpHeaders.getRequestHeaders());
+        logger.info("Email: {}", email.getValue());
+
+        if (!"gepardec-service-mail@mega-260510.iam.gserviceaccount.com".equals(email.getValue())) {
+            throw new UnauthorizedException("Account not authorized to access this resource.");
+        }
 
         return LocalDateTime.now();
     }

diff --git a/src/main/resources/application.yaml b/src/main/resources/application.yaml
@@ -102,6 +102,12 @@ quarkus:
       roles:
         source: accesstoken
         role-claim-path: "resource_access/mega-cron/roles"
+    google:
+      auth-server-url: "https://accounts.google.com"
+      application-type: "service"
+      token:
+        issuer: "https://accounts.google.com"
+
 mp:
   openapi:
     filter: com.gepardec.mega.application.filter.MegaCronSecuritySchemaOASFilter