Allow script token principals to read unspecified resources

deploy-service/teletraanservice/src/main/java/com/pinterest/teletraan/security/ScriptTokenRoleAuthorizer.java

@@ -47,6 +47,11 @@ public boolean authorize(
             return false;
         }
 
+        if (AuthZResource.Type.UNSPECIFIED.equals(requestedResource.getType())) {
+            // Always allow unspecified resources as they are READ operations
+            return true;
+        }
+
         if (AuthZResource.Type.ENV_STAGE.equals(requestedResource.getType())) {
             if (requestedResource.getEnvName().equals(principal.getResource().getName())) {
                 return true;

deploy-service/teletraanservice/src/test/java/com/pinterest/teletraan/security/ScriptTokenRoleAuthorizerTest.java

@@ -238,4 +238,18 @@ public void testPublish() throws Exception {
         checkPositive(sysOperator, build, TeletraanPrincipalRole.PUBLISHER);
         checkNegative(sysReader, build, TeletraanPrincipalRole.PUBLISHER);
     }
+
+    @Test
+    public void testUnspecified() throws Exception {
+        checkPositive(sysAdmin, AuthZResource.UNSPECIFIED_RESOURCE, TeletraanPrincipalRole.READ);
+        checkPositive(sysOperator, AuthZResource.UNSPECIFIED_RESOURCE, TeletraanPrincipalRole.READ);
+        checkPositive(sysReader, AuthZResource.UNSPECIFIED_RESOURCE, TeletraanPrincipalRole.READ);
+
+        checkPositive(envAdmin, AuthZResource.UNSPECIFIED_RESOURCE, TeletraanPrincipalRole.READ);
+        checkPositive(envOperator, AuthZResource.UNSPECIFIED_RESOURCE, TeletraanPrincipalRole.READ);
+        checkPositive(envReader, AuthZResource.UNSPECIFIED_RESOURCE, TeletraanPrincipalRole.READ);
+
+        checkPositive(pinger, AuthZResource.UNSPECIFIED_RESOURCE, TeletraanPrincipalRole.READ);
+        checkPositive(publisher, AuthZResource.UNSPECIFIED_RESOURCE, TeletraanPrincipalRole.READ);
+    }
 }