Merge pull request #1068 from zalando/feature_force_event_type_authz

Feature to force an authorization section for creation and update of ET
zalando · Jun 27, 2019 · eb665e5 · eb665e5
2 parents e98f524 + 8d9240f
commit eb665e5
Show file tree

Hide file tree

Showing 5 changed files with 24 additions and 1 deletion.
diff --git a/src/main/java/org/zalando/nakadi/controller/advice/EventTypeExceptionHandler.java b/src/main/java/org/zalando/nakadi/controller/advice/EventTypeExceptionHandler.java
@@ -5,6 +5,7 @@
 import org.springframework.web.bind.annotation.ExceptionHandler;
 import org.springframework.web.context.request.NativeWebRequest;
 import org.zalando.nakadi.controller.EventTypeController;
+import org.zalando.nakadi.exceptions.runtime.AuthorizationSectionException;
 import org.zalando.nakadi.exceptions.runtime.ConflictException;
 import org.zalando.nakadi.exceptions.runtime.DuplicatedEventTypeNameException;
 import org.zalando.nakadi.exceptions.runtime.EventTypeDeletionException;
@@ -32,6 +33,7 @@ public class EventTypeExceptionHandler implements AdviceTrait {
     @ExceptionHandler({InvalidEventTypeException.class,
             UnableProcessException.class,
             EventTypeOptionsValidationException.class,
+            AuthorizationSectionException.class,
             NoSuchPartitionStrategyException.class})
     public ResponseEntity<Problem> handleUnprocessableEntityResponses(final NakadiBaseException exception,
                                                                       final NativeWebRequest request) {

diff --git a/src/main/java/org/zalando/nakadi/exceptions/runtime/AuthorizationSectionException.java b/src/main/java/org/zalando/nakadi/exceptions/runtime/AuthorizationSectionException.java
@@ -0,0 +1,8 @@
+package org.zalando.nakadi.exceptions.runtime;
+
+public class AuthorizationSectionException extends NakadiBaseException {
+
+    public AuthorizationSectionException(final String message) {
+        super(message);
+    }
+}
diff --git a/src/main/java/org/zalando/nakadi/service/EventTypeService.java b/src/main/java/org/zalando/nakadi/service/EventTypeService.java
@@ -26,6 +26,7 @@
 import org.zalando.nakadi.domain.Timeline;
 import org.zalando.nakadi.enrichment.Enrichment;
 import org.zalando.nakadi.exceptions.runtime.AccessDeniedException;
+import org.zalando.nakadi.exceptions.runtime.AuthorizationSectionException;
 import org.zalando.nakadi.exceptions.runtime.ConflictException;
 import org.zalando.nakadi.exceptions.runtime.DbWriteOperationsBlockedException;
 import org.zalando.nakadi.exceptions.runtime.DuplicatedEventTypeNameException;
@@ -70,6 +71,7 @@
 import java.util.stream.Collectors;
 
 import static org.zalando.nakadi.service.FeatureToggleService.Feature.DELETE_EVENT_TYPE_WITH_SUBSCRIPTIONS;
+import static org.zalando.nakadi.service.FeatureToggleService.Feature.FORCE_EVENT_TYPE_AUTHZ;
 
 @Component
 public class EventTypeService {
@@ -136,7 +138,8 @@ public List<EventType> list() {
     }
 
     public void create(final EventTypeBase eventType, final boolean checkAuth)
-            throws TopicCreationException,
+            throws AuthorizationSectionException,
+            TopicCreationException,
             InternalNakadiException,
             NoSuchPartitionStrategyException,
             DuplicatedEventTypeNameException,
@@ -158,6 +161,9 @@ public void create(final EventTypeBase eventType, final boolean checkAuth)
         validateCompaction(eventType);
         enrichment.validate(eventType);
         partitionResolver.validate(eventType);
+        if (featureToggleService.isFeatureEnabled(FORCE_EVENT_TYPE_AUTHZ) && eventType.getAuthorization() == null) {
+            throw new AuthorizationSectionException("Authorization section is mandatory");
+        }
         if (checkAuth) {
             authorizationValidator.validateAuthorization(eventType.asBaseResource());
         }
@@ -347,6 +353,11 @@ public void update(final String eventTypeName,
             updatingCloser = timelineSync.workWithEventType(eventTypeName, nakadiSettings.getTimelineWaitTimeoutMs());
             original = eventTypeRepository.findByName(eventTypeName);
 
+            if (featureToggleService.isFeatureEnabled(FORCE_EVENT_TYPE_AUTHZ)
+                    && eventTypeBase.getAuthorization() == null) {
+                throw new AuthorizationSectionException("Authorization section is mandatory");
+            }
+
             authorizationValidator.authorizeEventTypeView(original);
             if (!adminService.isAdmin(AuthorizationService.Operation.WRITE)) {
                 eventTypeOptionsValidator.checkRetentionTime(eventTypeBase.getOptions());

diff --git a/src/main/java/org/zalando/nakadi/service/FeatureToggleService.java b/src/main/java/org/zalando/nakadi/service/FeatureToggleService.java
@@ -40,6 +40,7 @@ enum Feature {
         AUDIT_LOG_COLLECTION("audit_log_collection"),
         DISABLE_DB_WRITE_OPERATIONS("disable_db_write_operations"),
         DISABLE_LOG_COMPACTION("disable_log_compaction"),
+        FORCE_EVENT_TYPE_AUTHZ("force_event_type_authz"),
         FORCE_SUBSCRIPTION_AUTHZ("force_subscription_authz");
 
         private final String id;

diff --git a/src/main/resources/application.yml b/src/main/resources/application.yml
@@ -182,4 +182,5 @@ nakadi.features.defaultFeatures:
   REMOTE_TOKENINFO: true
   KPI_COLLECTION: true
   DISABLE_DB_WRITE_OPERATIONS: false
+  FORCE_EVENT_TYPE_AUTHZ: false
   FORCE_SUBSCRIPTION_AUTHZ: false