Introduce universal/security library for AuthN and AuthZ (#1486)

commit-id:17aa4dbb
pinterest · Mar 13, 2024 · 3eda73e · 3eda73e
1 parent d2cd33d
commit 3eda73e
Show file tree

Hide file tree

Showing 37 changed files with 2,224 additions and 26 deletions.
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -39,8 +39,22 @@ jobs:
         languages: ${{ matrix.language }}
         config-file: ./.github/codeql-config.yml
 
-    - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
+    - if: matrix.language == 'python'
+      name: Autobuild
+      uses: github/codeql-action/autobuild@v3
+
+    - if: matrix.language == 'java'
+      name: Set up JDK 1.8
+      uses: actions/setup-java@v4
+      with:
+        distribution: corretto
+        java-version: 8
+        cache: 'maven'
+    - if: matrix.language == 'java'
+      name: Build with Maven
+      working-directory: deploy-service
+      run: |
+          mvn clean package --file pom.xml -P-pinterest-dependenies,exclude-pinterest-only-classes -B -V -e -Dfindbugs.skip -Dcheckstyle.skip -Dpmd.skip=true -Dspotbugs.skip -Denforcer.skip -Dmaven.javadoc.skip -DskipTests -Dmaven.test.skip.exec -Dlicense.skip=true -Drat.skip=true -Dspotless.check.skip=true
 
     - name: Perform CodeQL Analysis
       uses: github/codeql-action/analyze@v2
diff --git a/.github/workflows/maven.yml b/.github/workflows/maven.yml
@@ -4,22 +4,29 @@ on:
   push:
     branches:
     - master
+    paths:
+    - 'deploy-service/**'
+    - '.github/workflows/maven.yml'
   pull_request:
     branches:
     - master
+    paths:
+    - 'deploy-service/**'
+    - '.github/workflows/maven.yml'
 
 jobs:
   build:
-
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v1
+    - uses: actions/checkout@v4
     - name: Set up JDK 1.8
-      uses: actions/setup-java@v1
+      uses: actions/setup-java@v4
       with:
-        java-version: 1.8
+        distribution: corretto
+        java-version: 8
+        cache: 'maven'
     - name: Build with Maven
+      working-directory: deploy-service
       run: |
-        cd deploy-service
-        mvn package --file pom.xml
+        mvn clean package --file pom.xml -P-pinterest-dependenies,exclude-pinterest-only-classes
diff --git a/deploy-service/pom.xml b/deploy-service/pom.xml
@@ -38,7 +38,7 @@
             <dependency>
                 <groupId>io.projectreactor</groupId>
                 <artifactId>reactor-bom</artifactId>
-                <version>2022.0.9</version>
+                <version>2023.0.3</version>
                 <type>pom</type>
                 <scope>import</scope>
             </dependency>

diff --git a/deploy-service/universal/pom.xml b/deploy-service/universal/pom.xml
@@ -21,14 +21,15 @@
     <maven.compiler.source>1.8</maven.compiler.source>
     <maven.compiler.target>1.8</maven.compiler.target>
     <micrometer.version>1.11.3</micrometer.version>
+    <pinterest.commons.version>0.1-20220908.230942-22097</pinterest.commons.version>
   </properties>
 
   <dependencyManagement>
     <dependencies>
       <dependency>
         <groupId>io.projectreactor</groupId>
         <artifactId>reactor-bom</artifactId>
-        <version>2022.0.9</version>
+        <version>2023.0.3</version>
         <type>pom</type>
         <scope>import</scope>
       </dependency>
@@ -59,6 +60,10 @@
       <groupId>io.projectreactor.netty</groupId>
       <artifactId>reactor-netty-core</artifactId>
     </dependency>
+    <dependency>
+      <groupId>io.projectreactor.netty</groupId>
+      <artifactId>reactor-netty-http</artifactId>
+    </dependency>
     <dependency>
       <groupId>org.projectlombok</groupId>
       <artifactId>lombok</artifactId>
@@ -73,7 +78,33 @@
     <dependency>
       <groupId>org.slf4j</groupId>
       <artifactId>slf4j-api</artifactId>
-      <version>2.0.9</version>
+      <version>1.7.36</version>
+    </dependency>
+    <dependency>
+      <groupId>com.fasterxml.jackson.core</groupId>
+      <artifactId>jackson-databind</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>com.google.guava</groupId>
+      <artifactId>guava</artifactId>
+      <version>32.1.2-jre</version>
+    </dependency>
+    <dependency>
+      <groupId>javax.ws.rs</groupId>
+      <artifactId>javax.ws.rs-api</artifactId>
+      <version>2.1</version>
+      <scope>provided</scope>
+    </dependency>
+    <dependency>
+      <groupId>javax.annotation</groupId>
+      <artifactId>javax.annotation-api</artifactId>
+      <version>1.3.2</version>
+      <scope>provided</scope>
+    </dependency>
+    <dependency>
+      <groupId>io.dropwizard</groupId>
+      <artifactId>dropwizard-auth</artifactId>
+      <version>${dropwizard.version}</version>
     </dependency>
 
     <!-- Test dependencies -->
@@ -96,15 +127,9 @@
       <scope>test</scope>
     </dependency>
     <dependency>
-      <groupId>org.slf4j</groupId>
-      <artifactId>slf4j-log4j12</artifactId>
-      <version>1.7.32</version>
-      <scope>test</scope>
-    </dependency>
-    <dependency>
-      <groupId>com.google.guava</groupId>
-      <artifactId>guava</artifactId>
-      <version>32.1.2-jre</version>
+      <groupId>com.squareup.okhttp3</groupId>
+      <artifactId>mockwebserver</artifactId>
+      <version>4.12.0</version>
       <scope>test</scope>
     </dependency>
   </dependencies>
@@ -115,14 +140,14 @@
       <plugins>
         <plugin>
           <artifactId>maven-deploy-plugin</artifactId>
-          <version>2.8.2</version>
-          <configuration>  
-            <skip>true</skip>  
+          <version>3.1.1</version>
+          <configuration>
+            <skip>true</skip>
           </configuration>
         </plugin>
         <plugin>
           <artifactId>maven-project-info-reports-plugin</artifactId>
-          <version>3.0.0</version>
+          <version>3.5.0</version>
         </plugin>
       </plugins>
     </pluginManagement>
@@ -141,10 +166,11 @@
       </plugin>
       <plugin>
         <!-- This is Pinterest deployment specific. -->
-        <!-- For non-Pinterest deployments, remove this block and use the maven-deploy-plugin instead. -->
+        <!-- For non-Pinterest deployments, remove this block and use the maven-deploy-plugin
+        instead. -->
         <groupId>org.codehaus.mojo</groupId>
         <artifactId>exec-maven-plugin</artifactId>
-        <version>3.0.0</version>  
+        <version>3.0.0</version>
         <executions>
           <execution>
             <id>artifactory-push-deploy</id>
@@ -181,4 +207,109 @@
       </plugin>
     </plugins>
   </build>
+
+  <profiles>
+    <profile>
+      <id>pinterest-dependenies</id>
+      <activation>
+        <activeByDefault>true</activeByDefault>
+      </activation>
+      <repositories>
+        <repository>
+          <!-- Single end point to fetch all maven artifacts.  -->
+          <id>maven-virtual</id>
+          <name>maven-virtual</name>
+          <url>https://artifacts-prod-use1.pinadmin.com/artifactory/maven-virtual/</url>
+        </repository>
+        <repository>
+          <id>artifactory-thirdparty-prod</id>
+          <name>artifactory-thirdparty-prod</name>
+          <url>https://artifacts-prod-use1.pinadmin.com/artifactory/maven_thirdparty-jar-bazel-prod-local</url>
+          <releases>
+            <enabled>true</enabled>
+          </releases>
+          <snapshots>
+            <enabled>false</enabled>
+          </snapshots>
+        </repository>
+        <repository>
+          <id>artifactory-legacy-prod</id>
+          <name>artifactory-legacy-prod</name>
+          <url>https://artifacts-prod-use1.pinadmin.com/artifactory/maven_legacy-jar-bazel-prod-local</url>
+          <releases>
+            <enabled>true</enabled>
+          </releases>
+          <snapshots>
+            <enabled>false</enabled>
+          </snapshots>
+        </repository>
+        <repository>
+          <id>artifactory-private-snapshots-prod</id>
+          <name>artifactory-private-snapshots-prod</name>
+          <url>https://artifacts-prod-use1.pinadmin.com/artifactory/maven_private_snapshots-jar-bazel-prod-local</url>
+          <releases>
+            <enabled>false</enabled>
+          </releases>
+          <snapshots>
+            <enabled>true</enabled>
+          </snapshots>
+        </repository>
+      </repositories>
+      <dependencies>
+        <dependency>
+          <groupId>com.pinterest.optimus.commons</groupId>
+          <artifactId>pinterest-commons</artifactId>
+          <version>${pinterest.commons.version}</version>
+          <exclusions>
+            <exclusion>
+              <groupId>org.slf4j</groupId>
+              <artifactId>*</artifactId>
+            </exclusion>
+            <exclusion>
+              <groupId>com.amazonaws</groupId>
+              <artifactId>*</artifactId>
+            </exclusion>
+            <exclusion>
+              <groupId>com.pinterest.schemas</groupId>
+              <artifactId>schemas_jdk18</artifactId>
+            </exclusion>
+            <exclusion>
+              <groupId>com.pinterest</groupId>
+              <artifactId>libjava_fbs</artifactId>
+            </exclusion>
+            <exclusion>
+              <groupId>com.google.flatbuffers</groupId>
+              <artifactId>flatbuffers-java</artifactId>
+            </exclusion>
+            <exclusion>
+              <groupId>com.pinterest.psc</groupId>
+              <artifactId>psc-internal-shaded</artifactId>
+            </exclusion>
+          </exclusions>
+        </dependency>
+      </dependencies>
+    </profile>
+
+    <profile>
+      <!-- If you are outside Pinterest, use this profile instead -->
+      <!-- i.e. mvn clean package -P-pinterest-dependenies,exclude-pinterest-only-classes -->
+      <id>exclude-pinterest-only-classes</id>
+      <build>
+        <plugins>
+          <plugin>
+            <groupId>org.apache.maven.plugins</groupId>
+            <artifactId>maven-compiler-plugin</artifactId>
+            <configuration>
+              <excludes>
+                <exclude>**/BasePastisAuthorizer.java</exclude>
+              </excludes>
+              <testExcludes>
+                <testExclude>**/BasePastisAuthorizerTest.java</testExclude>
+              </testExcludes>
+            </configuration>
+          </plugin>
+        </plugins>
+      </build>
+    </profile>
+  </profiles>
 </project>
diff --git a/...iversal/src/main/java/com/pinterest/teletraan/universal/security/AnonymousAuthFilter.java b/...iversal/src/main/java/com/pinterest/teletraan/universal/security/AnonymousAuthFilter.java
@@ -0,0 +1,68 @@
+/**
+ * Copyright (c) 2024 Pinterest, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.pinterest.teletraan.universal.security;
+
+import com.pinterest.teletraan.universal.security.bean.AnonymousUser;
+import java.io.IOException;
+import java.security.Principal;
+import javax.annotation.Priority;
+import javax.ws.rs.Priorities;
+import javax.ws.rs.container.ContainerRequestContext;
+import javax.ws.rs.container.ContainerRequestFilter;
+import javax.ws.rs.core.SecurityContext;
+import javax.ws.rs.ext.Provider;
+
+/**
+ * A filter for authenticating and authorizing any request as an anonymous user. For development use
+ * only.
+ */
+@Provider
+@Priority(Priorities.AUTHENTICATION)
+public class AnonymousAuthFilter implements ContainerRequestFilter {
+    public static final AnonymousUser USER = new AnonymousUser();
+    private SecurityContext securityContext;
+
+    public AnonymousAuthFilter() {
+        securityContext =
+                new SecurityContext() {
+
+                    @Override
+                    public Principal getUserPrincipal() {
+                        return AnonymousAuthFilter.USER;
+                    }
+
+                    @Override
+                    public boolean isUserInRole(String s) {
+                        return true;
+                    }
+
+                    @Override
+                    public boolean isSecure() {
+                        return false;
+                    }
+
+                    @Override
+                    public String getAuthenticationScheme() {
+                        return "Anonymous";
+                    }
+                };
+    }
+
+    @Override
+    public void filter(ContainerRequestContext containerRequestContext) throws IOException {
+        containerRequestContext.setSecurityContext(securityContext);
+    }
+}