Merge pull request #727 from zalando/ARUHA-983-dont-authorize-sub-create

ARUHA-983: removed authorization for subscription creation;

CHANGELOG.md

@@ -6,9 +6,14 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 
 ## [Unreleased]
 
+## [2.0.1] - 2017-08-11
+
 ### Fixed
 - Added validation of offsets availability when resetting subscription cursors.
 
+### Changed
+- Removed authorization for subscription creation
+
 ## [2.0.0] - 2017-08-09
 
 ### Changed

docs/_data/nakadi-event-bus-api.yaml

@@ -878,8 +878,6 @@ paths:
         this endpoint is invoked several times with the same key subscription properties in body (order of even_types is
         not important) - the subscription will be created only once and for all other calls it will just return
         the subscription that was already created.
-        If per-EventType authorization is enabled, the caller must be authorized to read from all the EventTypes in the
-        subscription.
       parameters:
         - name: subscription
           in: body
@@ -922,10 +920,6 @@ paths:
           description: Unprocessable Entity
           schema:
             $ref: '#/definitions/Problem'
-        '403':
-          description: Access forbidden because of missing scope or EventType authorization failure.
-          schema:
-            $ref: '#/definitions/Problem'
     get:
       tags:
         - subscription-api

src/main/java/org/zalando/nakadi/controller/PostSubscriptionController.java

@@ -26,7 +26,6 @@
 import org.zalando.nakadi.plugin.api.ApplicationService;
 import org.zalando.nakadi.problem.ValidationProblem;
 import org.zalando.nakadi.security.Client;
-import org.zalando.nakadi.service.AuthorizationValidator;
 import org.zalando.nakadi.service.subscription.SubscriptionService;
 import org.zalando.nakadi.util.FeatureToggleService;
 import org.zalando.problem.MoreStatus;
@@ -52,17 +51,14 @@ public class PostSubscriptionController {
     private final FeatureToggleService featureToggleService;
     private final ApplicationService applicationService;
     private final SubscriptionService subscriptionService;
-    private final AuthorizationValidator authorizationValidator;
 
     @Autowired
     public PostSubscriptionController(final FeatureToggleService featureToggleService,
                                       final ApplicationService applicationService,
-                                      final SubscriptionService subscriptionService,
-                                      final AuthorizationValidator authorizationValidator) {
+                                      final SubscriptionService subscriptionService) {
         this.featureToggleService = featureToggleService;
         this.applicationService = applicationService;
         this.subscriptionService = subscriptionService;
-        this.authorizationValidator = authorizationValidator;
     }
 
     @RequestMapping(value = "/subscriptions", method = RequestMethod.POST)
@@ -76,8 +72,6 @@ public ResponseEntity<?> createOrGetSubscription(@Valid @RequestBody final Subsc
             return Responses.create(new ValidationProblem(errors), request);
         }
 
-        authorizationValidator.authorizeSubscriptionRead(subscriptionBase);
-
         if (featureToggleService.isFeatureEnabled(CHECK_OWNING_APPLICATION)
                 && !applicationService.exists(subscriptionBase.getOwningApplication())) {
             return Responses.create(Problem.valueOf(MoreStatus.UNPROCESSABLE_ENTITY,

src/test/java/org/zalando/nakadi/controller/PostSubscriptionControllerTest.java

@@ -1,11 +1,9 @@
 package org.zalando.nakadi.controller;
 
 import com.google.common.collect.ImmutableSet;
-import com.google.common.collect.Sets;
 import org.joda.time.DateTime;
 import org.joda.time.DateTimeZone;
 import org.junit.Test;
-import org.mockito.Mockito;
 import org.springframework.core.MethodParameter;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.converter.StringHttpMessageConverter;
@@ -16,26 +14,21 @@
 import org.springframework.web.context.request.NativeWebRequest;
 import org.springframework.web.method.support.HandlerMethodArgumentResolver;
 import org.springframework.web.method.support.ModelAndViewContainer;
-import org.zalando.nakadi.domain.EventType;
 import org.zalando.nakadi.domain.Subscription;
 import org.zalando.nakadi.domain.SubscriptionBase;
 import org.zalando.nakadi.exceptions.runtime.NoEventTypeException;
 import org.zalando.nakadi.exceptions.runtime.NoSubscriptionException;
 import org.zalando.nakadi.exceptions.runtime.TooManyPartitionsException;
 import org.zalando.nakadi.plugin.api.ApplicationService;
-import org.zalando.nakadi.repository.EventTypeRepository;
 import org.zalando.nakadi.security.NakadiClient;
-import org.zalando.nakadi.service.AuthorizationValidator;
 import org.zalando.nakadi.service.subscription.SubscriptionService;
 import org.zalando.nakadi.util.FeatureToggleService;
 import org.zalando.nakadi.utils.TestUtils;
 import org.zalando.problem.Problem;
 
 import java.util.HashSet;
-import java.util.Optional;
 import java.util.Set;
 
-import static javax.ws.rs.core.Response.Status.FORBIDDEN;
 import static org.mockito.Matchers.any;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
@@ -48,7 +41,6 @@
 import static org.zalando.nakadi.util.FeatureToggleService.Feature.DISABLE_SUBSCRIPTION_CREATION;
 import static org.zalando.nakadi.utils.RandomSubscriptionBuilder.builder;
 import static org.zalando.nakadi.utils.TestUtils.invalidProblem;
-import static org.zalando.nakadi.utils.TestUtils.mockAccessDeniedException;
 import static org.zalando.problem.MoreStatus.UNPROCESSABLE_ENTITY;
 import static uk.co.datumedge.hamcrest.json.SameJSONAs.sameJSONAs;
 
@@ -61,8 +53,6 @@ public class PostSubscriptionControllerTest {
     private final ApplicationService applicationService = mock(ApplicationService.class);
     private final FeatureToggleService featureToggleService = mock(FeatureToggleService.class);
     private final SubscriptionService subscriptionService = mock(SubscriptionService.class);
-    private final EventTypeRepository eventTypeRepository = mock(EventTypeRepository.class);
-    private final AuthorizationValidator authorizationValidator = mock(AuthorizationValidator.class);
 
 
     public PostSubscriptionControllerTest() throws Exception {
@@ -75,11 +65,8 @@ public PostSubscriptionControllerTest() throws Exception {
 
         when(subscriptionService.getSubscriptionUri(any())).thenCallRealMethod();
 
-        final EventType eventType = mock(EventType.class);
-        when(eventTypeRepository.findByNameO(any())).thenReturn(Optional.of(eventType));
-
         final PostSubscriptionController controller = new PostSubscriptionController(featureToggleService,
-                applicationService, subscriptionService, authorizationValidator);
+                applicationService, subscriptionService);
 
         mockMvcBuilder = standaloneSetup(controller)
                 .setMessageConverters(new StringHttpMessageConverter(), TestUtils.JACKSON_2_HTTP_MESSAGE_CONVERTER)
@@ -228,19 +215,6 @@ public void whenSubscriptionExistsThenReturnIt() throws Exception {
                 .andExpect(header().doesNotExist("Content-Location"));
     }
 
-    @Test
-    public void whenEventTypeIsNotAuthorizedThenForbidden() throws Exception {
-        final Subscription subscription = mock(Subscription.class);
-        when(subscription.getEventTypes()).thenReturn(Sets.newHashSet("event-type-name"));
-        when(eventTypeRepository.findByNameO(any())).thenReturn(Optional.of(mock(EventType.class)));
-
-        Mockito.doThrow(mockAccessDeniedException()).when(authorizationValidator)
-                .authorizeSubscriptionRead(any());
-
-        final Problem expectedProblem = Problem.valueOf(FORBIDDEN, "Access on READ some-type:some-name denied");
-        checkForProblem(postSubscription(builder().buildSubscriptionBase()), expectedProblem);
-    }
-
     private void checkForProblem(final ResultActions resultActions, final Problem expectedProblem) throws Exception {
         resultActions
                 .andExpect(status().is(expectedProblem.getStatus().getStatusCode()))