Skip to content

Commit

Permalink
Add support for composite AuthN and AuthZ filters
Browse files Browse the repository at this point in the history
commit-id:eb5c1322
  • Loading branch information
tylerwowen committed Mar 4, 2024
1 parent 6373d80 commit a502447
Show file tree
Hide file tree
Showing 5 changed files with 138 additions and 0 deletions.
19 changes: 19 additions & 0 deletions deploy-service/teletraanservice/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -173,5 +173,24 @@
</plugins>
</build>
</profile>

<profile>
<!-- If you are outside Pinterest, use this profile instead -->
<!-- i.e. mvn clean package -P-pinterest-dependenies,exclude-pinterest-only-classes -->
<id>exclude-pinterest-only-classes</id>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<configuration>
<excludes>
<exclude>com/pinterest/teletraan/config/CompositeAuthorizationFactory.java</exclude>
</excludes>
</configuration>
</plugin>
</plugins>
</build>
</profile>
</profiles>
</project>
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
/**
* Copyright (c) 2024 Pinterest, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package com.pinterest.teletraan.config;

import com.codahale.metrics.MetricRegistry;
import com.codahale.metrics.SharedMetricRegistries;
import com.fasterxml.jackson.annotation.JsonTypeName;
import com.github.benmanes.caffeine.cache.Caffeine;
import com.pinterest.teletraan.TeletraanServiceContext;
import com.pinterest.teletraan.universal.security.EnvoyAuthFilter;
import com.pinterest.teletraan.universal.security.EnvoyAuthenticator;
import com.pinterest.teletraan.universal.security.bean.EnvoyCredentials;
import com.pinterest.teletraan.universal.security.bean.TeletraanPrincipal;
import io.dropwizard.auth.AuthFilter;
import io.dropwizard.auth.CachingAuthenticator;
import io.dropwizard.auth.chained.ChainedAuthFilter;
import java.util.Arrays;
import java.util.List;
import javax.ws.rs.container.ContainerRequestFilter;

@JsonTypeName("composite")
public class CompositeAuthenticationFactory extends TokenAuthenticationFactory {
@SuppressWarnings({"rawtypes", "unchecked"})
@Override
public ContainerRequestFilter create(TeletraanServiceContext context) throws Exception {
List<AuthFilter> tokenFilters = createAuthFilters(context);
MetricRegistry registry = SharedMetricRegistries.getDefault();
Caffeine<Object, Object> cacheBuilder = Caffeine.from(getTokenCacheSpec());

CachingAuthenticator<EnvoyCredentials, TeletraanPrincipal> cachingEnvoyAuthenticator =
new CachingAuthenticator<>(registry, new EnvoyAuthenticator(), cacheBuilder);
AuthFilter<EnvoyCredentials, TeletraanPrincipal> envoyAuthFilter =
new EnvoyAuthFilter.Builder<TeletraanPrincipal>()
.setAuthenticator(cachingEnvoyAuthenticator)
.setAuthorizer(context.getAuthorizationFactory().create(context))
.buildAuthFilter();

List<AuthFilter> filters = Arrays.asList(envoyAuthFilter);
tokenFilters.add(envoyAuthFilter);

return new ChainedAuthFilter(filters);
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
/**
* Copyright (c) 2024 Pinterest, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package com.pinterest.teletraan.config;

import com.fasterxml.jackson.annotation.JsonProperty;
import com.fasterxml.jackson.annotation.JsonTypeName;
import com.pinterest.teletraan.TeletraanServiceContext;
import com.pinterest.teletraan.security.ScriptTokenRoleAuthorizer;
import com.pinterest.teletraan.security.UserRoleAuthorizer;
import com.pinterest.teletraan.universal.security.BasePastisAuthorizer;
import com.pinterest.teletraan.universal.security.bean.ServicePrincipal;
import com.pinterest.teletraan.universal.security.bean.TeletraanPrincipal;
import com.pinterest.teletraan.universal.security.bean.UserPrincipal;
import io.dropwizard.auth.Authorizer;

@JsonTypeName("composite")
public class CompositeAuthorizationFactory implements AuthorizationFactory {
private static final String DEFAULT_PASTIS_SERVICE_NAME = "teletraan_dev";

@JsonProperty
private String pastisServiceName = DEFAULT_PASTIS_SERVICE_NAME;

public void setPastisServiceName(String pastisServiceName) {
this.pastisServiceName = pastisServiceName;
}

public String getPastisServiceName() {
return pastisServiceName;
}

@Override
public <P extends TeletraanPrincipal> Authorizer<P> create(TeletraanServiceContext context)
throws Exception {
return (Authorizer<P>) BasePastisAuthorizer.builder().factory(context.getAuthZResourceExtractorFactory())
.serviceName(pastisServiceName).build();
}

@Override
public <P extends TeletraanPrincipal> Authorizer<? extends TeletraanPrincipal> create(
TeletraanServiceContext context, Class<P> principalClass) throws Exception {
if (principalClass.equals(ServicePrincipal.class)) {
return new ScriptTokenRoleAuthorizer(context.getAuthZResourceExtractorFactory());
} else if (principalClass.equals(UserPrincipal.class)) {
return new UserRoleAuthorizer(context, context.getAuthZResourceExtractorFactory());
}
return create(context);
}
}
Original file line number Diff line number Diff line change
@@ -1,2 +1,3 @@
com.pinterest.teletraan.config.AnonymousAuthenticationFactory
com.pinterest.teletraan.config.TokenAuthenticationFactory
com.pinterest.teletraan.config.CompositeAuthenticationFactory
Original file line number Diff line number Diff line change
@@ -1,2 +1,3 @@
com.pinterest.teletraan.config.OpenAuthorizationFactory
com.pinterest.teletraan.config.TokenAuthorizationFactory
com.pinterest.teletraan.config.CompositeAuthorizationFactory

0 comments on commit a502447

Please sign in to comment.