From 76d98accb13fcbb9e2295fd7a61427d2491e546c Mon Sep 17 00:00:00 2001 From: Lionel Montrieux Date: Tue, 18 Jun 2019 16:52:13 +0200 Subject: [PATCH 1/3] Feature to force an authorization section for creation and update of ET In order to create or update an event type, one must provide an authorization section, if the feature FORCE_EVENT_TYPE_AUTHZ is enabled --- .../controller/advice/EventTypeExceptionHandler.java | 2 ++ .../exceptions/runtime/AuthorizationSectionException.java | 8 ++++++++ .../java/org/zalando/nakadi/service/EventTypeService.java | 8 +++++++- .../org/zalando/nakadi/service/FeatureToggleService.java | 3 ++- src/main/resources/application.yml | 1 + 5 files changed, 20 insertions(+), 2 deletions(-) create mode 100644 src/main/java/org/zalando/nakadi/exceptions/runtime/AuthorizationSectionException.java diff --git a/src/main/java/org/zalando/nakadi/controller/advice/EventTypeExceptionHandler.java b/src/main/java/org/zalando/nakadi/controller/advice/EventTypeExceptionHandler.java index b3940363d3..dfbd607915 100644 --- a/src/main/java/org/zalando/nakadi/controller/advice/EventTypeExceptionHandler.java +++ b/src/main/java/org/zalando/nakadi/controller/advice/EventTypeExceptionHandler.java @@ -5,6 +5,7 @@ import org.springframework.web.bind.annotation.ExceptionHandler; import org.springframework.web.context.request.NativeWebRequest; import org.zalando.nakadi.controller.EventTypeController; +import org.zalando.nakadi.exceptions.runtime.AuthorizationSectionException; import org.zalando.nakadi.exceptions.runtime.ConflictException; import org.zalando.nakadi.exceptions.runtime.DuplicatedEventTypeNameException; import org.zalando.nakadi.exceptions.runtime.EventTypeDeletionException; @@ -32,6 +33,7 @@ public class EventTypeExceptionHandler implements AdviceTrait { @ExceptionHandler({InvalidEventTypeException.class, UnableProcessException.class, EventTypeOptionsValidationException.class, + AuthorizationSectionException.class, NoSuchPartitionStrategyException.class}) public ResponseEntity handleUnprocessableEntityResponses(final NakadiBaseException exception, final NativeWebRequest request) { diff --git a/src/main/java/org/zalando/nakadi/exceptions/runtime/AuthorizationSectionException.java b/src/main/java/org/zalando/nakadi/exceptions/runtime/AuthorizationSectionException.java new file mode 100644 index 0000000000..14580d52cb --- /dev/null +++ b/src/main/java/org/zalando/nakadi/exceptions/runtime/AuthorizationSectionException.java @@ -0,0 +1,8 @@ +package org.zalando.nakadi.exceptions.runtime; + +public class AuthorizationSectionException extends NakadiBaseException { + + public AuthorizationSectionException(final String message) { + super(message); + } +} diff --git a/src/main/java/org/zalando/nakadi/service/EventTypeService.java b/src/main/java/org/zalando/nakadi/service/EventTypeService.java index 64bba0764c..e300955adb 100644 --- a/src/main/java/org/zalando/nakadi/service/EventTypeService.java +++ b/src/main/java/org/zalando/nakadi/service/EventTypeService.java @@ -26,6 +26,7 @@ import org.zalando.nakadi.domain.Timeline; import org.zalando.nakadi.enrichment.Enrichment; import org.zalando.nakadi.exceptions.runtime.AccessDeniedException; +import org.zalando.nakadi.exceptions.runtime.AuthorizationSectionException; import org.zalando.nakadi.exceptions.runtime.ConflictException; import org.zalando.nakadi.exceptions.runtime.DbWriteOperationsBlockedException; import org.zalando.nakadi.exceptions.runtime.DuplicatedEventTypeNameException; @@ -70,6 +71,7 @@ import java.util.stream.Collectors; import static org.zalando.nakadi.service.FeatureToggleService.Feature.DELETE_EVENT_TYPE_WITH_SUBSCRIPTIONS; +import static org.zalando.nakadi.service.FeatureToggleService.Feature.FORCE_EVENT_TYPE_AUTHZ; @Component public class EventTypeService { @@ -136,7 +138,8 @@ public List list() { } public void create(final EventTypeBase eventType, final boolean checkAuth) - throws TopicCreationException, + throws AuthorizationSectionException, + TopicCreationException, InternalNakadiException, NoSuchPartitionStrategyException, DuplicatedEventTypeNameException, @@ -158,6 +161,9 @@ public void create(final EventTypeBase eventType, final boolean checkAuth) validateCompaction(eventType); enrichment.validate(eventType); partitionResolver.validate(eventType); + if (featureToggleService.isFeatureEnabled(FORCE_EVENT_TYPE_AUTHZ) && eventType.getAuthorization() == null) { + throw new AuthorizationSectionException("Authorization section is mandatory"); + } if (checkAuth) { authorizationValidator.validateAuthorization(eventType.asBaseResource()); } diff --git a/src/main/java/org/zalando/nakadi/service/FeatureToggleService.java b/src/main/java/org/zalando/nakadi/service/FeatureToggleService.java index 736e6fe7b2..692b4ef67b 100644 --- a/src/main/java/org/zalando/nakadi/service/FeatureToggleService.java +++ b/src/main/java/org/zalando/nakadi/service/FeatureToggleService.java @@ -39,7 +39,8 @@ enum Feature { KPI_COLLECTION("kpi_collection"), AUDIT_LOG_COLLECTION("audit_log_collection"), DISABLE_DB_WRITE_OPERATIONS("disable_db_write_operations"), - DISABLE_LOG_COMPACTION("disable_log_compaction"); + DISABLE_LOG_COMPACTION("disable_log_compaction"), + FORCE_EVENT_TYPE_AUTHZ("force_event_type_authz"); private final String id; diff --git a/src/main/resources/application.yml b/src/main/resources/application.yml index d0223fe91a..ae72928540 100644 --- a/src/main/resources/application.yml +++ b/src/main/resources/application.yml @@ -177,3 +177,4 @@ nakadi.features.defaultFeatures: REMOTE_TOKENINFO: true KPI_COLLECTION: true DISABLE_DB_WRITE_OPERATIONS: false + FORCE_EVENT_TYPE_AUTHZ: true From aa4d156621e87bdeccb99c27feb15032393ea1ef Mon Sep 17 00:00:00 2001 From: Lionel Montrieux Date: Wed, 26 Jun 2019 10:47:51 +0200 Subject: [PATCH 2/3] Check authorization in update path --- .../java/org/zalando/nakadi/service/EventTypeService.java | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/main/java/org/zalando/nakadi/service/EventTypeService.java b/src/main/java/org/zalando/nakadi/service/EventTypeService.java index e300955adb..7fc8c25496 100644 --- a/src/main/java/org/zalando/nakadi/service/EventTypeService.java +++ b/src/main/java/org/zalando/nakadi/service/EventTypeService.java @@ -353,6 +353,11 @@ public void update(final String eventTypeName, updatingCloser = timelineSync.workWithEventType(eventTypeName, nakadiSettings.getTimelineWaitTimeoutMs()); original = eventTypeRepository.findByName(eventTypeName); + if (featureToggleService.isFeatureEnabled(FORCE_EVENT_TYPE_AUTHZ) + && eventTypeBase.getAuthorization() == null) { + throw new AuthorizationSectionException("Authorization section is mandatory"); + } + authorizationValidator.authorizeEventTypeView(original); if (!adminService.isAdmin(AuthorizationService.Operation.WRITE)) { eventTypeOptionsValidator.checkRetentionTime(eventTypeBase.getOptions()); From 8d9240f937c3c5ca3bec7f9da0ad459ec0c189e7 Mon Sep 17 00:00:00 2001 From: Kunal Jha Date: Thu, 27 Jun 2019 16:26:54 +0200 Subject: [PATCH 3/3] minor syntax fix --- .../java/org/zalando/nakadi/service/FeatureToggleService.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/zalando/nakadi/service/FeatureToggleService.java b/src/main/java/org/zalando/nakadi/service/FeatureToggleService.java index 5a03d35907..503eb87878 100644 --- a/src/main/java/org/zalando/nakadi/service/FeatureToggleService.java +++ b/src/main/java/org/zalando/nakadi/service/FeatureToggleService.java @@ -40,7 +40,7 @@ enum Feature { AUDIT_LOG_COLLECTION("audit_log_collection"), DISABLE_DB_WRITE_OPERATIONS("disable_db_write_operations"), DISABLE_LOG_COMPACTION("disable_log_compaction"), - FORCE_EVENT_TYPE_AUTHZ("force_event_type_authz"); + FORCE_EVENT_TYPE_AUTHZ("force_event_type_authz"), FORCE_SUBSCRIPTION_AUTHZ("force_subscription_authz"); private final String id;