From 37b58831e657141d6aca5c838c06f64cdbaf8b98 Mon Sep 17 00:00:00 2001 From: Tod Oliver Date: Mon, 23 Sep 2024 19:07:52 +0200 Subject: [PATCH] [Gepardec/mega#735] OIDC config for google service account --- .../com/gepardec/mega/rest/api/MailResource.java | 3 ++- .../gepardec/mega/rest/impl/MailResourceImpl.java | 14 +++++++++++++- src/main/resources/application.yaml | 6 ++++++ 3 files changed, 21 insertions(+), 2 deletions(-) diff --git a/src/main/java/com/gepardec/mega/rest/api/MailResource.java b/src/main/java/com/gepardec/mega/rest/api/MailResource.java index 8682fb58..74253527 100644 --- a/src/main/java/com/gepardec/mega/rest/api/MailResource.java +++ b/src/main/java/com/gepardec/mega/rest/api/MailResource.java @@ -21,7 +21,7 @@ import java.time.LocalDateTime; @Path("/mail") -//@Tenant("mega-cron") +@Tenant("mega-cron") @Tag(name = "MailResource") @Produces(MediaType.APPLICATION_JSON) //@SecurityRequirement(name = "mega-cron") @@ -67,6 +67,7 @@ public interface MailResource { @GET LocalDateTime ping(); + @Tenant("google") @Path("/ping") @POST LocalDateTime postPing(@Context HttpHeaders headers); diff --git a/src/main/java/com/gepardec/mega/rest/impl/MailResourceImpl.java b/src/main/java/com/gepardec/mega/rest/impl/MailResourceImpl.java index 8b3e79e8..6ca453dc 100644 --- a/src/main/java/com/gepardec/mega/rest/impl/MailResourceImpl.java +++ b/src/main/java/com/gepardec/mega/rest/impl/MailResourceImpl.java @@ -1,13 +1,16 @@ package com.gepardec.mega.rest.impl; +import com.gepardec.mega.application.exception.UnauthorizedException; import com.gepardec.mega.notification.mail.ReminderEmailSender; import com.gepardec.mega.notification.mail.receiver.MailReceiver; import com.gepardec.mega.rest.api.MailResource; -import jakarta.annotation.security.RolesAllowed; import jakarta.enterprise.context.RequestScoped; import jakarta.inject.Inject; import jakarta.ws.rs.core.HttpHeaders; import jakarta.ws.rs.core.Response; +import org.eclipse.microprofile.jwt.Claim; +import org.eclipse.microprofile.jwt.ClaimValue; +import org.eclipse.microprofile.jwt.Claims; import org.slf4j.Logger; import java.time.LocalDateTime; @@ -67,10 +70,19 @@ public LocalDateTime ping() { return LocalDateTime.now(); } + @Inject + @Claim(standard = Claims.email) + ClaimValue email; + @Override public LocalDateTime postPing(HttpHeaders httpHeaders) { logger.info("Received POST request"); logger.info("Headers: {}", httpHeaders.getRequestHeaders()); + logger.info("Email: {}", email.getValue()); + + if (!"gepardec-service-mail@mega-260510.iam.gserviceaccount.com".equals(email.getValue())) { + throw new UnauthorizedException("Account not authorized to access this resource."); + } return LocalDateTime.now(); } diff --git a/src/main/resources/application.yaml b/src/main/resources/application.yaml index fb7375fd..f88ab824 100644 --- a/src/main/resources/application.yaml +++ b/src/main/resources/application.yaml @@ -102,6 +102,12 @@ quarkus: roles: source: accesstoken role-claim-path: "resource_access/mega-cron/roles" + google: + auth-server-url: "https://accounts.google.com" + application-type: "service" + token: + issuer: "https://accounts.google.com" + mp: openapi: filter: com.gepardec.mega.application.filter.MegaCronSecuritySchemaOASFilter