getOrCreateAuthorizer(
+ TeletraanServiceContext context) {
if (pastisAuthorizer == null) {
pastisAuthorizer =
BasePastisAuthorizer.builder()
@@ -49,15 +51,32 @@ public TeletraanAuthorizer
create(
.serviceName(pastisServiceName)
.build();
}
- return (TeletraanAuthorizer
) pastisAuthorizer;
+ return pastisAuthorizer;
+ }
+
+ @Override
+ public
Authorizer
create(TeletraanServiceContext context) {
+ return (Authorizer
) getOrCreateAuthorizer(context);
}
@Override
- public
TeletraanAuthorizer create(
- TeletraanServiceContext context, Class
principalClass) throws Exception {
- if (ServicePrincipal.class.equals(principalClass)) {
- return new ScriptTokenRoleAuthorizer(context.getAuthZResourceExtractorFactory());
+ public
Authorizer
create(
+ TeletraanServiceContext context, Class
principalClass) {
+ if (ScriptTokenPrincipal.class.equals(principalClass)) {
+ return (Authorizer
)
+ new ScriptTokenRoleAuthorizer(context.getAuthZResourceExtractorFactory());
}
return create(context);
}
+
+ @Override
+ public TeletraanAuthorizer createSecondaryAuthorizer(
+ TeletraanServiceContext context, Class principalClass)
+ throws ForbiddenException {
+ if (ScriptTokenPrincipal.class.equals(principalClass)) {
+ // Deny all on-the-fly authorization requests for script token principals
+ return new DenyAllAuthorizer();
+ }
+ return getOrCreateAuthorizer(context);
+ }
}
diff --git a/deploy-service/teletraanservice/src/main/java/com/pinterest/teletraan/config/OpenAuthorizationFactory.java b/deploy-service/teletraanservice/src/main/java/com/pinterest/teletraan/config/OpenAuthorizationFactory.java
index c4ff36479c..71b6ee8245 100644
--- a/deploy-service/teletraanservice/src/main/java/com/pinterest/teletraan/config/OpenAuthorizationFactory.java
+++ b/deploy-service/teletraanservice/src/main/java/com/pinterest/teletraan/config/OpenAuthorizationFactory.java
@@ -17,31 +17,14 @@
import com.fasterxml.jackson.annotation.JsonTypeName;
import com.pinterest.teletraan.TeletraanServiceContext;
-import com.pinterest.teletraan.universal.security.TeletraanAuthorizer;
-import com.pinterest.teletraan.universal.security.bean.AuthZResource;
import com.pinterest.teletraan.universal.security.bean.TeletraanPrincipal;
-import javax.annotation.Nullable;
-import javax.ws.rs.container.ContainerRequestContext;
+import io.dropwizard.auth.Authorizer;
+import io.dropwizard.auth.PermitAllAuthorizer;
@JsonTypeName("open")
public class OpenAuthorizationFactory implements AuthorizationFactory {
@Override
- public TeletraanAuthorizer create(TeletraanServiceContext context)
- throws Exception {
- return new TeletraanAuthorizer() {
- @Override
- public boolean authorize(TeletraanPrincipal principal, String resource) {
- return true;
- }
-
- @Override
- public boolean authorize(
- TeletraanPrincipal principal,
- String role,
- AuthZResource requestedResource,
- @Nullable ContainerRequestContext context) {
- return true;
- }
- };
+ public Authorizer create(TeletraanServiceContext context) {
+ return new PermitAllAuthorizer<>();
}
}
diff --git a/deploy-service/teletraanservice/src/main/java/com/pinterest/teletraan/config/RoleAuthorizationFactory.java b/deploy-service/teletraanservice/src/main/java/com/pinterest/teletraan/config/RoleAuthorizationFactory.java
index 28f2d7563a..20d3f0a729 100644
--- a/deploy-service/teletraanservice/src/main/java/com/pinterest/teletraan/config/RoleAuthorizationFactory.java
+++ b/deploy-service/teletraanservice/src/main/java/com/pinterest/teletraan/config/RoleAuthorizationFactory.java
@@ -20,29 +20,30 @@
import com.pinterest.teletraan.TeletraanServiceContext;
import com.pinterest.teletraan.security.ScriptTokenRoleAuthorizer;
import com.pinterest.teletraan.security.UserRoleAuthorizer;
-import com.pinterest.teletraan.universal.security.TeletraanAuthorizer;
-import com.pinterest.teletraan.universal.security.bean.ServicePrincipal;
+import com.pinterest.teletraan.universal.security.bean.ScriptTokenPrincipal;
import com.pinterest.teletraan.universal.security.bean.TeletraanPrincipal;
import com.pinterest.teletraan.universal.security.bean.UserPrincipal;
+import io.dropwizard.auth.Authorizer;
@JsonTypeName("role")
public class RoleAuthorizationFactory implements AuthorizationFactory {
@JsonProperty private String roleCacheSpec; // Unused, for backwards compatibility
@Override
- public TeletraanAuthorizer
create(
- TeletraanServiceContext context) throws Exception {
+ public
Authorizer
create(TeletraanServiceContext context) {
throw new UnsupportedOperationException(
"RoleAuthorizationFactory does not support this method. Use create(TeletraanServiceContext, Class
) instead.");
}
@Override
- public
TeletraanAuthorizer create(
- TeletraanServiceContext context, Class
principalClass) throws Exception {
- if (ServicePrincipal.class.equals(principalClass)) {
- return new ScriptTokenRoleAuthorizer(context.getAuthZResourceExtractorFactory());
+ public
Authorizer
create(
+ TeletraanServiceContext context, Class
principalClass) {
+ if (ScriptTokenPrincipal.class.equals(principalClass)) {
+ return (Authorizer
)
+ new ScriptTokenRoleAuthorizer(context.getAuthZResourceExtractorFactory());
} else if (UserPrincipal.class.equals(principalClass)) {
- return new UserRoleAuthorizer(context, context.getAuthZResourceExtractorFactory());
+ return (Authorizer
)
+ new UserRoleAuthorizer(context, context.getAuthZResourceExtractorFactory());
}
throw new UnsupportedOperationException("Unsupported principal class: " + principalClass);
}
diff --git a/deploy-service/teletraanservice/src/main/java/com/pinterest/teletraan/config/TokenAuthenticationFactory.java b/deploy-service/teletraanservice/src/main/java/com/pinterest/teletraan/config/TokenAuthenticationFactory.java
index 2fc937e94f..fecbee7d55 100644
--- a/deploy-service/teletraanservice/src/main/java/com/pinterest/teletraan/config/TokenAuthenticationFactory.java
+++ b/deploy-service/teletraanservice/src/main/java/com/pinterest/teletraan/config/TokenAuthenticationFactory.java
@@ -24,7 +24,6 @@
import com.pinterest.teletraan.universal.security.OAuthAuthenticator;
import com.pinterest.teletraan.universal.security.ScriptTokenAuthenticator;
import com.pinterest.teletraan.universal.security.bean.ScriptTokenPrincipal;
-import com.pinterest.teletraan.universal.security.bean.ServicePrincipal;
import com.pinterest.teletraan.universal.security.bean.UserPrincipal;
import com.pinterest.teletraan.universal.security.bean.ValueBasedRole;
import io.dropwizard.auth.AuthFilter;
@@ -34,6 +33,7 @@
import io.dropwizard.auth.JSONUnauthorizedHandler;
import io.dropwizard.auth.chained.ChainedAuthFilter;
import io.dropwizard.auth.oauth.OAuthCredentialAuthFilter;
+import java.net.MalformedURLException;
import java.util.Arrays;
import javax.validation.constraints.NotEmpty;
import javax.ws.rs.container.ContainerRequestFilter;
@@ -103,7 +103,7 @@ public ContainerRequestFilter create(TeletraanServiceContext context) throws Exc
@SuppressWarnings({"unchecked"})
AuthFilter> createScriptTokenAuthFilter(
- TeletraanServiceContext context) throws Exception {
+ TeletraanServiceContext context) {
Authenticator> scriptTokenAuthenticator =
new ScriptTokenAuthenticator<>(new TeletraanScriptTokenProvider(context));
if (StringUtils.isNotBlank(getTokenCacheSpec())) {
@@ -117,17 +117,17 @@ AuthFilter> createScriptTokenAuthFi
.setAuthenticator(scriptTokenAuthenticator)
.setAuthorizer(
(Authorizer>)
- context.getAuthorizationFactory()
- .create(context, ServicePrincipal.class))
+ (Authorizer)
+ context.getAuthorizationFactory()
+ .create(context, ScriptTokenPrincipal.class))
.setPrefix("token")
.setUnauthorizedHandler(new JSONUnauthorizedHandler())
.buildAuthFilter();
}
// TODO: CDP-7837 remove this after all the clients are updated to use the new token scheme
- @SuppressWarnings({"unchecked"})
AuthFilter createOauthTokenAuthFilter(TeletraanServiceContext context)
- throws Exception {
+ throws MalformedURLException {
Authenticator oauthAuthenticator =
new OAuthAuthenticator(getUserDataUrl(), getGroupDataUrl());
if (StringUtils.isNotBlank(getTokenCacheSpec())) {
@@ -140,17 +140,14 @@ AuthFilter createOauthTokenAuthFilter(TeletraanServiceCon
return new OAuthCredentialAuthFilter.Builder()
.setAuthenticator(oauthAuthenticator)
.setAuthorizer(
- (Authorizer)
- context.getAuthorizationFactory()
- .create(context, UserPrincipal.class))
+ context.getAuthorizationFactory().create(context, UserPrincipal.class))
.setPrefix("token")
.setUnauthorizedHandler(new JSONUnauthorizedHandler())
.buildAuthFilter();
}
- @SuppressWarnings({"unchecked"})
AuthFilter createJwtTokenAuthFilter(TeletraanServiceContext context)
- throws Exception {
+ throws MalformedURLException {
Authenticator oauthJwtAuthenticator =
new OAuthAuthenticator(getUserDataUrl(), getGroupDataUrl());
if (StringUtils.isNotBlank(getTokenCacheSpec())) {
@@ -163,9 +160,7 @@ AuthFilter createJwtTokenAuthFilter(TeletraanServiceConte
return new OAuthCredentialAuthFilter.Builder()
.setAuthenticator(oauthJwtAuthenticator)
.setAuthorizer(
- (Authorizer)
- context.getAuthorizationFactory()
- .create(context, UserPrincipal.class))
+ context.getAuthorizationFactory().create(context, UserPrincipal.class))
.setPrefix("Bearer")
.setUnauthorizedHandler(new JSONUnauthorizedHandler())
.buildAuthFilter();
diff --git a/deploy-service/teletraanservice/src/main/java/com/pinterest/teletraan/resource/EnvCapacities.java b/deploy-service/teletraanservice/src/main/java/com/pinterest/teletraan/resource/EnvCapacities.java
index 4777b82e7e..598307da3a 100644
--- a/deploy-service/teletraanservice/src/main/java/com/pinterest/teletraan/resource/EnvCapacities.java
+++ b/deploy-service/teletraanservice/src/main/java/com/pinterest/teletraan/resource/EnvCapacities.java
@@ -233,8 +233,7 @@ void authorize(
EnvironBean targetEnvironBean,
Principal principal,
CapacityType capacityType,
- List capacities)
- throws Exception {
+ List capacities) {
if (isSidecarEnvironment(targetEnvironBean)) {
// Allow sidecars to add capacity
return;
@@ -243,15 +242,15 @@ void authorize(
if (!(principal instanceof TeletraanPrincipal)) {
throw new UnsupportedOperationException("Only TeletraanPrincipal is allowed");
}
- HashSet resources = getCapacityMainEnvironments(capacityType, capacities);
+ TeletraanPrincipal teletraanPrincipal = (TeletraanPrincipal) principal;
+ TeletraanAuthorizer authorizer =
+ authorizationFactory.createSecondaryAuthorizer(
+ context, teletraanPrincipal.getClass());
- TeletraanAuthorizer authorizer = authorizationFactory.create(context);
+ HashSet resources = getCapacityMainEnvironments(capacityType, capacities);
for (AuthZResource resource : resources) {
if (!authorizer.authorize(
- (TeletraanPrincipal) principal,
- TeletraanPrincipalRole.Names.WRITE,
- resource,
- null)) {
+ teletraanPrincipal, TeletraanPrincipalRole.Names.WRITE, resource, null)) {
throw new ForbiddenException(
String.format(
"Principal %s is not allowed to modify capacity owned by env %s",
diff --git a/deploy-service/teletraanservice/src/test/java/com/pinterest/teletraan/config/CompositeAuthorizationFactoryTest.java b/deploy-service/teletraanservice/src/test/java/com/pinterest/teletraan/config/CompositeAuthorizationFactoryTest.java
index fd442cd27e..7edfea8e25 100644
--- a/deploy-service/teletraanservice/src/test/java/com/pinterest/teletraan/config/CompositeAuthorizationFactoryTest.java
+++ b/deploy-service/teletraanservice/src/test/java/com/pinterest/teletraan/config/CompositeAuthorizationFactoryTest.java
@@ -20,24 +20,81 @@
import static org.junit.jupiter.api.Assertions.assertTrue;
import com.pinterest.teletraan.TeletraanServiceContext;
+import com.pinterest.teletraan.security.ScriptTokenRoleAuthorizer;
import com.pinterest.teletraan.security.TeletraanAuthZResourceExtractorFactory;
import com.pinterest.teletraan.universal.security.BasePastisAuthorizer;
+import com.pinterest.teletraan.universal.security.DenyAllAuthorizer;
+import com.pinterest.teletraan.universal.security.TeletraanAuthorizer;
+import com.pinterest.teletraan.universal.security.bean.ScriptTokenPrincipal;
+import com.pinterest.teletraan.universal.security.bean.ServicePrincipal;
+import com.pinterest.teletraan.universal.security.bean.TeletraanPrincipal;
+import com.pinterest.teletraan.universal.security.bean.UserPrincipal;
import io.dropwizard.auth.Authorizer;
+import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
class CompositeAuthorizationFactoryTest {
- @Test
- void testCreate() throws Exception {
- TeletraanServiceContext context = new TeletraanServiceContext();
+ private TeletraanServiceContext context;
+ private CompositeAuthorizationFactory sut;
+
+ @BeforeEach
+ void setUp() {
+ context = new TeletraanServiceContext();
context.setAuthZResourceExtractorFactory(
new TeletraanAuthZResourceExtractorFactory(context));
- CompositeAuthorizationFactory factory = new CompositeAuthorizationFactory();
+ sut = new CompositeAuthorizationFactory();
+ }
- Authorizer authorizer = factory.create(context);
+ @Test
+ void testCreate() {
+ Authorizer authorizer = sut.create(context);
assertNotNull(authorizer);
assertTrue(authorizer instanceof BasePastisAuthorizer);
- Authorizer authorizer2 = factory.create(context);
+ Authorizer authorizer2 = sut.create(context);
assertSame(authorizer, authorizer2);
}
+
+ @Test
+ void testCreateWithNullPrincipalClass() {
+ Authorizer authorizer = sut.create(context, null);
+ assertNotNull(authorizer);
+ assertTrue(authorizer instanceof BasePastisAuthorizer);
+ }
+
+ @Test
+ void testCreateWithScriptTokenPrincipalClass() {
+ Authorizer authorizer = sut.create(context, ScriptTokenPrincipal.class);
+ assertTrue(authorizer instanceof ScriptTokenRoleAuthorizer);
+ }
+
+ @Test
+ void testCreateWithUserPrincipalClass() {
+ Authorizer authorizer = sut.create(context, UserPrincipal.class);
+ assertTrue(authorizer instanceof BasePastisAuthorizer);
+ }
+
+ @Test
+ void testCreateSecondaryAuthorizerWithNullPrincipalClass() {
+ TeletraanAuthorizer authorizer =
+ sut.createSecondaryAuthorizer(context, null);
+ assertNotNull(authorizer);
+ assertTrue(authorizer instanceof BasePastisAuthorizer);
+ }
+
+ @Test
+ void testCreateSecondaryAuthorizerWithScriptTokenPrincipalClass() {
+ TeletraanPrincipal scriptTokenPrincipal = new ScriptTokenPrincipal<>(null, null, null);
+ TeletraanAuthorizer authorizer =
+ sut.createSecondaryAuthorizer(context, scriptTokenPrincipal.getClass());
+ assertTrue(authorizer instanceof DenyAllAuthorizer);
+ }
+
+ @Test
+ void testCreateSecondaryAuthorizerWithServicePrincipalClass() {
+ TeletraanPrincipal servicePrincipal = new ServicePrincipal("");
+ TeletraanAuthorizer authorizer =
+ sut.createSecondaryAuthorizer(context, servicePrincipal.getClass());
+ assertTrue(authorizer instanceof BasePastisAuthorizer);
+ }
}
diff --git a/deploy-service/teletraanservice/src/test/java/com/pinterest/teletraan/config/RoleAuthorizationFactoryTest.java b/deploy-service/teletraanservice/src/test/java/com/pinterest/teletraan/config/RoleAuthorizationFactoryTest.java
index d1a4b6974b..35ca4f1004 100644
--- a/deploy-service/teletraanservice/src/test/java/com/pinterest/teletraan/config/RoleAuthorizationFactoryTest.java
+++ b/deploy-service/teletraanservice/src/test/java/com/pinterest/teletraan/config/RoleAuthorizationFactoryTest.java
@@ -21,6 +21,7 @@
import com.pinterest.teletraan.TeletraanServiceContext;
import com.pinterest.teletraan.security.ScriptTokenRoleAuthorizer;
import com.pinterest.teletraan.security.UserRoleAuthorizer;
+import com.pinterest.teletraan.universal.security.bean.ScriptTokenPrincipal;
import com.pinterest.teletraan.universal.security.bean.ServicePrincipal;
import com.pinterest.teletraan.universal.security.bean.TeletraanPrincipal;
import com.pinterest.teletraan.universal.security.bean.UserPrincipal;
@@ -40,19 +41,28 @@ void testCreate() {
}
@Test
- void testCreate_servicePrincipal() throws Exception {
+ void testCreate_servicePrincipal() {
+ assertThrows(
+ UnsupportedOperationException.class,
+ () -> {
+ sut.create(context, ServicePrincipal.class);
+ });
+ }
+
+ @Test
+ void testCreate_scriptTokenPrincipal() {
assertEquals(
ScriptTokenRoleAuthorizer.class,
- sut.create(context, ServicePrincipal.class).getClass());
+ sut.create(context, ScriptTokenPrincipal.class).getClass());
}
@Test
- void testCreate_userPrincipal() throws Exception {
+ void testCreate_userPrincipal() {
assertEquals(UserRoleAuthorizer.class, sut.create(context, UserPrincipal.class).getClass());
}
@Test
- void testCreate_otherPrincipal() throws Exception {
+ void testCreate_otherPrincipal() {
assertThrows(
UnsupportedOperationException.class,
() -> {
diff --git a/deploy-service/teletraanservice/src/test/java/com/pinterest/teletraan/resource/EnvCapacitiesTest.java b/deploy-service/teletraanservice/src/test/java/com/pinterest/teletraan/resource/EnvCapacitiesTest.java
index 1ce3a51a4d..aa3735578e 100644
--- a/deploy-service/teletraanservice/src/test/java/com/pinterest/teletraan/resource/EnvCapacitiesTest.java
+++ b/deploy-service/teletraanservice/src/test/java/com/pinterest/teletraan/resource/EnvCapacitiesTest.java
@@ -30,6 +30,7 @@
import com.pinterest.teletraan.TeletraanServiceContext;
import com.pinterest.teletraan.config.AuthorizationFactory;
import com.pinterest.teletraan.resource.EnvCapacities.CapacityType;
+import com.pinterest.teletraan.universal.security.AnonymousAuthFilter;
import com.pinterest.teletraan.universal.security.TeletraanAuthorizer;
import com.pinterest.teletraan.universal.security.bean.AuthZResource;
import com.pinterest.teletraan.universal.security.bean.TeletraanPrincipal;
@@ -57,16 +58,17 @@ class EnvCapacitiesTest {
@Mock private EnvironDAO environDAO;
@Mock private GroupDAO groupDAO;
@Mock private TeletraanAuthorizer authorizer;
- @Mock private TeletraanPrincipal principal;
+ private TeletraanPrincipal principal;
@BeforeEach
- void setUp() throws Exception {
+ void setUp() {
MockitoAnnotations.openMocks(this);
+ principal = AnonymousAuthFilter.USER;
TeletraanServiceContext serviceContext = new TeletraanServiceContext();
AuthorizationFactory authorizationFactory = mock(AuthorizationFactory.class);
- when(authorizationFactory.create(any())).thenReturn(authorizer);
+ when(authorizationFactory.createSecondaryAuthorizer(any(), any())).thenReturn(authorizer);
serviceContext.setAuthorizationFactory(authorizationFactory);
serviceContext.setEnvironDAO(environDAO);
serviceContext.setGroupDAO(groupDAO);
@@ -79,7 +81,7 @@ void setUp() throws Exception {
@ParameterizedTest
@MethodSource("capacityTypes")
- void authorizeShouldAllowSidecarEnvsToAddCapacities(CapacityType type) throws Exception {
+ void authorizeShouldAllowSidecarEnvsToAddCapacities(CapacityType type) {
EnvironBean envBean = EnvironBeanFixture.createRandomEnvironBean();
envBean.setSystem_priority(1);
@@ -88,7 +90,7 @@ void authorizeShouldAllowSidecarEnvsToAddCapacities(CapacityType type) throws Ex
@ParameterizedTest
@MethodSource("capacityTypes")
- void authorizeShouldAllowEmptyCapacities(CapacityType type) throws Exception {
+ void authorizeShouldAllowEmptyCapacities(CapacityType type) {
EnvironBean envBean = EnvironBeanFixture.createRandomEnvironBean();
assertDoesNotThrow(() -> sut.authorize(envBean, principal, type, new ArrayList<>()));
@@ -115,7 +117,7 @@ void authorizeSuccess(CapacityType type) throws Exception {
when(environDAO.getByCluster(capacity)).thenReturn(envBean);
}
when(authorizer.authorize(
- (TeletraanPrincipal) principal,
+ principal,
TeletraanPrincipalRole.Names.WRITE,
new AuthZResource(envBean.getEnv_name(), envBean.getStage_name()),
null))
diff --git a/deploy-service/universal/pom.xml b/deploy-service/universal/pom.xml
index bf0e2cd861..e731f84e68 100644
--- a/deploy-service/universal/pom.xml
+++ b/deploy-service/universal/pom.xml
@@ -11,7 +11,7 @@
com.pinterest.teletraan
universal
- 2.2-SNAPSHOT
+ 2.3-SNAPSHOT
Teletraan platform universal components
https://github.com/pinterest/teletraan/
diff --git a/deploy-service/universal/src/main/java/com/pinterest/teletraan/universal/security/BaseAuthorizer.java b/deploy-service/universal/src/main/java/com/pinterest/teletraan/universal/security/BaseAuthorizer.java
index 5c1b66adb6..13857436de 100644
--- a/deploy-service/universal/src/main/java/com/pinterest/teletraan/universal/security/BaseAuthorizer.java
+++ b/deploy-service/universal/src/main/java/com/pinterest/teletraan/universal/security/BaseAuthorizer.java
@@ -19,6 +19,7 @@
import com.pinterest.teletraan.universal.security.AuthZResourceExtractor.ExtractionException;
import com.pinterest.teletraan.universal.security.bean.AuthZResource;
import com.pinterest.teletraan.universal.security.bean.TeletraanPrincipal;
+import io.dropwizard.auth.Authorizer;
import javax.annotation.Nullable;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.container.ContainerRequestContext;
@@ -34,7 +35,7 @@
@AllArgsConstructor
@Slf4j
public abstract class BaseAuthorizer
- implements TeletraanAuthorizer
{
+ implements TeletraanAuthorizer
, Authorizer
{
protected final AuthZResourceExtractor.Factory extractorFactory;
@Override
diff --git a/deploy-service/universal/src/main/java/com/pinterest/teletraan/universal/security/BasePastisAuthorizer.java b/deploy-service/universal/src/main/java/com/pinterest/teletraan/universal/security/BasePastisAuthorizer.java
index 27c6158af3..8a0b012cad 100644
--- a/deploy-service/universal/src/main/java/com/pinterest/teletraan/universal/security/BasePastisAuthorizer.java
+++ b/deploy-service/universal/src/main/java/com/pinterest/teletraan/universal/security/BasePastisAuthorizer.java
@@ -36,7 +36,7 @@
* @param
the principal type
*/
@Slf4j
-public class BasePastisAuthorizer
extends BaseAuthorizer
{
+public class BasePastisAuthorizer extends BaseAuthorizer {
private static final String INPUT = "input";
protected final PastisAuthorizer pastis;
@@ -62,7 +62,7 @@ public BasePastisAuthorizer(PastisAuthorizer pastis, AuthZResourceExtractor.Fact
@Override
public boolean authorize(
- P principal,
+ TeletraanPrincipal principal,
String role,
AuthZResource requestedResource,
@Nullable ContainerRequestContext context) {
diff --git a/deploy-service/universal/src/main/java/com/pinterest/teletraan/universal/security/DenyAllAuthorizer.java b/deploy-service/universal/src/main/java/com/pinterest/teletraan/universal/security/DenyAllAuthorizer.java
new file mode 100644
index 0000000000..8132f309ad
--- /dev/null
+++ b/deploy-service/universal/src/main/java/com/pinterest/teletraan/universal/security/DenyAllAuthorizer.java
@@ -0,0 +1,32 @@
+/**
+ * Copyright (c) 2024 Pinterest, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.pinterest.teletraan.universal.security;
+
+import com.pinterest.teletraan.universal.security.bean.AuthZResource;
+import com.pinterest.teletraan.universal.security.bean.TeletraanPrincipal;
+import javax.annotation.Nullable;
+import javax.ws.rs.container.ContainerRequestContext;
+
+public class DenyAllAuthorizer implements TeletraanAuthorizer {
+ @Override
+ public boolean authorize(
+ TeletraanPrincipal principal,
+ String role,
+ AuthZResource requestedResource,
+ @Nullable ContainerRequestContext context) {
+ return false;
+ }
+}
diff --git a/deploy-service/universal/src/main/java/com/pinterest/teletraan/universal/security/OpenAuthorizer.java b/deploy-service/universal/src/main/java/com/pinterest/teletraan/universal/security/OpenAuthorizer.java
new file mode 100644
index 0000000000..85bd71a7a7
--- /dev/null
+++ b/deploy-service/universal/src/main/java/com/pinterest/teletraan/universal/security/OpenAuthorizer.java
@@ -0,0 +1,32 @@
+/**
+ * Copyright (c) 2024 Pinterest, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.pinterest.teletraan.universal.security;
+
+import com.pinterest.teletraan.universal.security.bean.AuthZResource;
+import com.pinterest.teletraan.universal.security.bean.TeletraanPrincipal;
+import javax.annotation.Nullable;
+import javax.ws.rs.container.ContainerRequestContext;
+
+public class OpenAuthorizer implements TeletraanAuthorizer {
+ @Override
+ public boolean authorize(
+ TeletraanPrincipal principal,
+ String role,
+ AuthZResource requestedResource,
+ @Nullable ContainerRequestContext context) {
+ return true;
+ }
+}
diff --git a/deploy-service/universal/src/main/java/com/pinterest/teletraan/universal/security/TeletraanAuthorizer.java b/deploy-service/universal/src/main/java/com/pinterest/teletraan/universal/security/TeletraanAuthorizer.java
index 9b6092ace3..0ce9957880 100644
--- a/deploy-service/universal/src/main/java/com/pinterest/teletraan/universal/security/TeletraanAuthorizer.java
+++ b/deploy-service/universal/src/main/java/com/pinterest/teletraan/universal/security/TeletraanAuthorizer.java
@@ -17,11 +17,10 @@
import com.pinterest.teletraan.universal.security.bean.AuthZResource;
import com.pinterest.teletraan.universal.security.bean.TeletraanPrincipal;
-import io.dropwizard.auth.Authorizer;
import javax.annotation.Nullable;
import javax.ws.rs.container.ContainerRequestContext;
-public interface TeletraanAuthorizer extends Authorizer
{
+public interface TeletraanAuthorizer
{
boolean authorize(
P principal,
String role,
diff --git a/deploy-service/universal/src/test/java/com/pinterest/teletraan/universal/security/BasePastisAuthorizerTest.java b/deploy-service/universal/src/test/java/com/pinterest/teletraan/universal/security/BasePastisAuthorizerTest.java
index 7a6fe46829..e1c4323a83 100644
--- a/deploy-service/universal/src/test/java/com/pinterest/teletraan/universal/security/BasePastisAuthorizerTest.java
+++ b/deploy-service/universal/src/test/java/com/pinterest/teletraan/universal/security/BasePastisAuthorizerTest.java
@@ -60,17 +60,19 @@ class BasePastisAuthorizerTest {
private static PastisAuthorizer pastis;
private static AuthZResourceExtractor.Factory factory;
+ private BasePastisAuthorizer sut;
+
@BeforeEach
public void setUp() {
context = mock(ContainerRequestContext.class);
pastis = mock(PastisAuthorizer.class);
factory = mock(AuthZResourceExtractor.Factory.class);
+ sut = new BasePastisAuthorizer(pastis, factory);
}
@ParameterizedTest
@ValueSource(strings = {ACTION_READ, ACTION_WRITE})
void testAuthorize_userPrincipal(String action) {
- BasePastisAuthorizer sut = new BasePastisAuthorizer<>(pastis, factory);
UserPrincipal principal = new UserPrincipal(PRINCIPAL_NAME, Arrays.asList(GROUP_NAME));
sut.authorize(principal, action, resource, context);
verify(pastis)
@@ -87,7 +89,6 @@ void testAuthorize_userPrincipal(String action) {
@Test
void testAuthorize_userPrincipal_failure() {
- BasePastisAuthorizer sut = new BasePastisAuthorizer<>(pastis, factory);
UserPrincipal principal = new UserPrincipal(PRINCIPAL_NAME, Arrays.asList(GROUP_NAME));
when(pastis.authorize(anyString())).thenThrow(new RuntimeException());
assertFalse(sut.authorize(principal, ACTION_READ, resource, context));
@@ -96,7 +97,6 @@ void testAuthorize_userPrincipal_failure() {
@ParameterizedTest
@ValueSource(strings = {ACTION_READ, ACTION_WRITE})
void testAuthorize_servicePrincipal(String action) {
- BasePastisAuthorizer sut = new BasePastisAuthorizer<>(pastis, factory);
ServicePrincipal principal = new ServicePrincipal(SPIFFE_ID);
sut.authorize(principal, action, resource, context);
verify(pastis)
@@ -120,7 +120,6 @@ void testBuilder() {
@ParameterizedTest
@ValueSource(strings = {ACTION_READ, ACTION_WRITE})
void testAuthorize_payloadContainsOptionalFields(String action) {
- BasePastisAuthorizer sut = new BasePastisAuthorizer<>(pastis, factory);
UserPrincipal principal = new UserPrincipal(PRINCIPAL_NAME, Arrays.asList(GROUP_NAME));
sut.authorize(principal, action, resourceWithOptionalFields, context);
verify(pastis)