From 23048d7d188ac51137cb5d130b69f67d59b22775 Mon Sep 17 00:00:00 2001 From: Tyler Ouyang Date: Fri, 1 Mar 2024 16:14:17 -0800 Subject: [PATCH] Add support for composite AuthN and AuthZ filters commit-id:eb5c1322 --- deploy-service/teletraanservice/pom.xml | 19 ++++++ .../CompositeAuthenticationFactory.java | 63 +++++++++++++++++++ .../config/CompositeAuthorizationFactory.java | 63 +++++++++++++++++++ ...est.teletraan.config.AuthenticationFactory | 1 + 4 files changed, 146 insertions(+) create mode 100644 deploy-service/teletraanservice/src/main/java/com/pinterest/teletraan/config/CompositeAuthenticationFactory.java create mode 100644 deploy-service/teletraanservice/src/main/java/com/pinterest/teletraan/config/CompositeAuthorizationFactory.java diff --git a/deploy-service/teletraanservice/pom.xml b/deploy-service/teletraanservice/pom.xml index 15ee614543..38bb6e9cc7 100644 --- a/deploy-service/teletraanservice/pom.xml +++ b/deploy-service/teletraanservice/pom.xml @@ -166,5 +166,24 @@ + + + + + exclude-pinterest-only-classes + + + + org.apache.maven.plugins + maven-compiler-plugin + + + com/pinterest/teletraan/config/CompositeAuthorizationFactory.java + + + + + + \ No newline at end of file diff --git a/deploy-service/teletraanservice/src/main/java/com/pinterest/teletraan/config/CompositeAuthenticationFactory.java b/deploy-service/teletraanservice/src/main/java/com/pinterest/teletraan/config/CompositeAuthenticationFactory.java new file mode 100644 index 0000000000..96eedf90ef --- /dev/null +++ b/deploy-service/teletraanservice/src/main/java/com/pinterest/teletraan/config/CompositeAuthenticationFactory.java @@ -0,0 +1,63 @@ +/** + * Copyright (c) 2024 Pinterest, Inc. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.pinterest.teletraan.config; + +import com.codahale.metrics.MetricRegistry; +import com.codahale.metrics.SharedMetricRegistries; +import com.fasterxml.jackson.annotation.JsonTypeName; +import com.github.benmanes.caffeine.cache.Caffeine; +import com.pinterest.teletraan.TeletraanServiceContext; +import com.pinterest.teletraan.universal.security.EnvoyAuthFilter; +import com.pinterest.teletraan.universal.security.EnvoyAuthenticator; +import com.pinterest.teletraan.universal.security.bean.EnvoyCredentials; +import com.pinterest.teletraan.universal.security.bean.TeletraanPrincipal; +import io.dropwizard.auth.AuthFilter; +import io.dropwizard.auth.Authenticator; +import io.dropwizard.auth.CachingAuthenticator; +import io.dropwizard.auth.chained.ChainedAuthFilter; +import java.util.ArrayList; +import java.util.List; +import javax.ws.rs.container.ContainerRequestFilter; +import org.apache.commons.lang3.StringUtils; + +@JsonTypeName("composite") +public class CompositeAuthenticationFactory extends TokenAuthenticationFactory { + @SuppressWarnings({"rawtypes", "unchecked"}) + @Override + public ContainerRequestFilter create(TeletraanServiceContext context) throws Exception { + List tokenFilters = createAuthFilters(context); + Authenticator authenticator = + new EnvoyAuthenticator(); + + if (StringUtils.isNotBlank(getTokenCacheSpec())) { + MetricRegistry registry = SharedMetricRegistries.getDefault(); + Caffeine cacheBuilder = Caffeine.from(getTokenCacheSpec()); + authenticator = new CachingAuthenticator<>(registry, authenticator, cacheBuilder); + } + + AuthFilter envoyAuthFilter = + new EnvoyAuthFilter.Builder() + .setAuthenticator(authenticator) + .setAuthorizer(context.getAuthorizationFactory().create(context)) + .buildAuthFilter(); + + List filters = new ArrayList<>(); + filters.addAll(tokenFilters); + filters.add(envoyAuthFilter); + + return new ChainedAuthFilter(filters); + } +} diff --git a/deploy-service/teletraanservice/src/main/java/com/pinterest/teletraan/config/CompositeAuthorizationFactory.java b/deploy-service/teletraanservice/src/main/java/com/pinterest/teletraan/config/CompositeAuthorizationFactory.java new file mode 100644 index 0000000000..2cdea12633 --- /dev/null +++ b/deploy-service/teletraanservice/src/main/java/com/pinterest/teletraan/config/CompositeAuthorizationFactory.java @@ -0,0 +1,63 @@ +/** + * Copyright (c) 2024 Pinterest, Inc. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.pinterest.teletraan.config; + +import com.fasterxml.jackson.annotation.JsonProperty; +import com.fasterxml.jackson.annotation.JsonTypeName; +import com.pinterest.teletraan.TeletraanServiceContext; +import com.pinterest.teletraan.security.ScriptTokenRoleAuthorizer; +import com.pinterest.teletraan.security.UserRoleAuthorizer; +import com.pinterest.teletraan.universal.security.BasePastisAuthorizer; +import com.pinterest.teletraan.universal.security.bean.ServicePrincipal; +import com.pinterest.teletraan.universal.security.bean.TeletraanPrincipal; +import com.pinterest.teletraan.universal.security.bean.UserPrincipal; +import io.dropwizard.auth.Authorizer; + +@JsonTypeName("composite") +public class CompositeAuthorizationFactory implements AuthorizationFactory { + private static final String DEFAULT_PASTIS_SERVICE_NAME = "teletraan_dev"; + + @JsonProperty private String pastisServiceName = DEFAULT_PASTIS_SERVICE_NAME; + + public void setPastisServiceName(String pastisServiceName) { + this.pastisServiceName = pastisServiceName; + } + + public String getPastisServiceName() { + return pastisServiceName; + } + + @Override + public

Authorizer

create(TeletraanServiceContext context) + throws Exception { + return (Authorizer

) + BasePastisAuthorizer.builder() + .factory(context.getAuthZResourceExtractorFactory()) + .serviceName(pastisServiceName) + .build(); + } + + @Override + public

Authorizer create( + TeletraanServiceContext context, Class

principalClass) throws Exception { + if (ServicePrincipal.class.equals(principalClass)) { + return new ScriptTokenRoleAuthorizer(context.getAuthZResourceExtractorFactory()); + } else if (UserPrincipal.class.equals(principalClass)) { + return new UserRoleAuthorizer(context, context.getAuthZResourceExtractorFactory()); + } + return create(context); + } +} diff --git a/deploy-service/teletraanservice/src/main/resources/META-INF/services/com.pinterest.teletraan.config.AuthenticationFactory b/deploy-service/teletraanservice/src/main/resources/META-INF/services/com.pinterest.teletraan.config.AuthenticationFactory index 4ae09aedf4..42eb2dfca8 100644 --- a/deploy-service/teletraanservice/src/main/resources/META-INF/services/com.pinterest.teletraan.config.AuthenticationFactory +++ b/deploy-service/teletraanservice/src/main/resources/META-INF/services/com.pinterest.teletraan.config.AuthenticationFactory @@ -1,2 +1,3 @@ com.pinterest.teletraan.config.AnonymousAuthenticationFactory com.pinterest.teletraan.config.TokenAuthenticationFactory +com.pinterest.teletraan.config.CompositeAuthenticationFactory