Introduce universal/security library for AuthN and AuthZ

commit-id:17aa4dbb
pinterest · Mar 6, 2024 · 46b0f23 · 46b0f23
1 parent e8c2163
commit 46b0f23
Show file tree

Hide file tree

Showing 34 changed files with 2,194 additions and 10 deletions.
diff --git a/deploy-service/universal/pom.xml b/deploy-service/universal/pom.xml
@@ -21,14 +21,15 @@
     <maven.compiler.source>1.8</maven.compiler.source>
     <maven.compiler.target>1.8</maven.compiler.target>
     <micrometer.version>1.11.3</micrometer.version>
+    <pinterest.commons.version>0.1-20220908.230942-22097</pinterest.commons.version>
   </properties>
 
   <dependencyManagement>
     <dependencies>
       <dependency>
         <groupId>io.projectreactor</groupId>
         <artifactId>reactor-bom</artifactId>
-        <version>2022.0.9</version>
+        <version>2023.0.3</version>
         <type>pom</type>
         <scope>import</scope>
       </dependency>
@@ -59,6 +60,10 @@
       <groupId>io.projectreactor.netty</groupId>
       <artifactId>reactor-netty-core</artifactId>
     </dependency>
+    <dependency>
+      <groupId>io.projectreactor.netty</groupId>
+      <artifactId>reactor-netty-http</artifactId>
+    </dependency>
     <dependency>
       <groupId>org.projectlombok</groupId>
       <artifactId>lombok</artifactId>
@@ -75,6 +80,32 @@
       <artifactId>slf4j-api</artifactId>
       <version>2.0.9</version>
     </dependency>
+    <dependency>
+      <groupId>com.fasterxml.jackson.core</groupId>
+      <artifactId>jackson-databind</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>com.google.guava</groupId>
+      <artifactId>guava</artifactId>
+      <version>32.1.2-jre</version>
+    </dependency>
+    <dependency>
+      <groupId>javax.ws.rs</groupId>
+      <artifactId>javax.ws.rs-api</artifactId>
+      <version>2.1</version>
+      <scope>provided</scope>
+    </dependency>
+    <dependency>
+      <groupId>javax.annotation</groupId>
+      <artifactId>javax.annotation-api</artifactId>
+      <version>1.3.2</version>
+      <scope>provided</scope>
+    </dependency>
+    <dependency>
+      <groupId>io.dropwizard</groupId>
+      <artifactId>dropwizard-auth</artifactId>
+      <version>${dropwizard.version}</version>
+    </dependency>
 
     <!-- Test dependencies -->
     <dependency>
@@ -102,11 +133,11 @@
       <scope>test</scope>
     </dependency>
     <dependency>
-      <groupId>com.google.guava</groupId>
-      <artifactId>guava</artifactId>
-      <version>32.1.2-jre</version>
+      <groupId>com.squareup.okhttp3</groupId>
+      <artifactId>mockwebserver</artifactId>
+      <version>3.14.9</version>
       <scope>test</scope>
-    </dependency>
+  </dependency>
   </dependencies>
 
   <build>
@@ -115,14 +146,14 @@
       <plugins>
         <plugin>
           <artifactId>maven-deploy-plugin</artifactId>
-          <version>2.8.2</version>
-          <configuration>  
-            <skip>true</skip>  
+          <version>3.1.1</version>
+          <configuration>
+            <skip>true</skip>
           </configuration>
         </plugin>
         <plugin>
           <artifactId>maven-project-info-reports-plugin</artifactId>
-          <version>3.0.0</version>
+          <version>3.5.0</version>
         </plugin>
       </plugins>
     </pluginManagement>
@@ -144,7 +175,7 @@
         <!-- For non-Pinterest deployments, remove this block and use the maven-deploy-plugin instead. -->
         <groupId>org.codehaus.mojo</groupId>
         <artifactId>exec-maven-plugin</artifactId>
-        <version>3.0.0</version>  
+        <version>3.0.0</version>
         <executions>
           <execution>
             <id>artifactory-push-deploy</id>
@@ -181,4 +212,126 @@
       </plugin>
     </plugins>
   </build>
+
+  <profiles>
+    <profile>
+      <id>pinterest-dependenies</id>
+      <activation>
+        <activeByDefault>true</activeByDefault>
+      </activation>
+      <repositories>
+        <repository>
+          <!-- Single end point to fetch all maven artifacts.  -->
+          <id>maven-virtual</id>
+          <name>maven-virtual</name>
+          <url>https://artifacts-prod-use1.pinadmin.com/artifactory/maven-virtual/</url>
+        </repository>
+        <repository>
+          <id>artifactory-thirdparty-prod</id>
+          <name>artifactory-thirdparty-prod</name>
+          <url>https://artifacts-prod-use1.pinadmin.com/artifactory/maven_thirdparty-jar-bazel-prod-local</url>
+          <releases>
+            <enabled>true</enabled>
+          </releases>
+          <snapshots>
+            <enabled>false</enabled>
+          </snapshots>
+        </repository>
+        <repository>
+          <id>artifactory-legacy-prod</id>
+          <name>artifactory-legacy-prod</name>
+          <url>https://artifacts-prod-use1.pinadmin.com/artifactory/maven_legacy-jar-bazel-prod-local</url>
+          <releases>
+            <enabled>true</enabled>
+          </releases>
+          <snapshots>
+            <enabled>false</enabled>
+          </snapshots>
+        </repository>
+        <repository>
+          <id>artifactory-private-snapshots-prod</id>
+          <name>artifactory-private-snapshots-prod</name>
+          <url>https://artifacts-prod-use1.pinadmin.com/artifactory/maven_private_snapshots-jar-bazel-prod-local</url>
+          <releases>
+            <enabled>false</enabled>
+          </releases>
+          <snapshots>
+            <enabled>true</enabled>
+          </snapshots>
+        </repository>
+      </repositories>
+      <dependencies>
+        <dependency>
+          <groupId>com.pinterest.optimus.commons</groupId>
+          <artifactId>pinterest-commons</artifactId>
+          <version>${pinterest.commons.version}</version>
+          <exclusions>
+            <exclusion>
+              <groupId>org.slf4j</groupId>
+              <artifactId>slf4j-api</artifactId>
+            </exclusion>
+            <exclusion>
+              <groupId>org.slf4j</groupId>
+              <artifactId>slf4j-log4j12</artifactId>
+            </exclusion>
+            <exclusion>
+              <groupId>org.slf4j</groupId>
+              <artifactId>slf4j-jdk14</artifactId>
+            </exclusion>
+            <exclusion>
+              <groupId>com.amazonaws</groupId>
+              <artifactId>aws-java-sdk-bundle</artifactId>
+            </exclusion>
+            <exclusion>
+              <groupId>io.netty</groupId>
+              <artifactId>netty-handler</artifactId>
+            </exclusion>
+            <exclusion>
+              <groupId>io.netty</groupId>
+              <artifactId>netty-buffer</artifactId>
+            </exclusion>
+            <exclusion>
+              <groupId>com.pinterest.optimus</groupId>
+              <artifactId>optimus</artifactId>
+            </exclusion>
+            <exclusion>
+              <groupId>com.pinterest.schemas</groupId>
+              <artifactId>schemas_jdk18</artifactId>
+            </exclusion>
+            <exclusion>
+              <groupId>com.pinterest</groupId>
+              <artifactId>libjava_fbs</artifactId>
+            </exclusion>
+            <exclusion>
+              <groupId>com.google.flatbuffers</groupId>
+              <artifactId>flatbuffers-java</artifactId>
+            </exclusion>
+            <exclusion>
+              <groupId>com.pinterest.psc</groupId>
+              <artifactId>psc-internal-shaded</artifactId>
+            </exclusion>
+          </exclusions>
+        </dependency>
+      </dependencies>
+    </profile>
+
+    <profile>
+      <!-- If you are outside Pinterest, use this profile instead -->
+      <!-- i.e. mvn clean package -P-pinterest-dependenies,exclude-pinterest-only-classes -->
+      <id>exclude-pinterest-only-classes</id>
+      <build>
+        <plugins>
+          <plugin>
+            <groupId>org.apache.maven.plugins</groupId>
+            <artifactId>maven-compiler-plugin</artifactId>
+            <configuration>
+              <excludes>
+                <exclude>com/pinterest/teletraan/universal/security/BasePastisAuthorizer.java</exclude>
+              </excludes>
+            </configuration>
+          </plugin>
+        </plugins>
+      </build>
+    </profile>
+  </profiles>
 </project>
diff --git a/...iversal/src/main/java/com/pinterest/teletraan/universal/security/AnonymousAuthFilter.java b/...iversal/src/main/java/com/pinterest/teletraan/universal/security/AnonymousAuthFilter.java
@@ -0,0 +1,68 @@
+/**
+ * Copyright (c) 2024 Pinterest, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.pinterest.teletraan.universal.security;
+
+import com.pinterest.teletraan.universal.security.bean.AnonymousUser;
+import java.io.IOException;
+import java.security.Principal;
+import javax.annotation.Priority;
+import javax.ws.rs.Priorities;
+import javax.ws.rs.container.ContainerRequestContext;
+import javax.ws.rs.container.ContainerRequestFilter;
+import javax.ws.rs.core.SecurityContext;
+import javax.ws.rs.ext.Provider;
+
+/**
+ * A filter for authenticating and authorizing any request as an anonymous user. For development use
+ * only.
+ */
+@Provider
+@Priority(Priorities.AUTHENTICATION)
+public class AnonymousAuthFilter implements ContainerRequestFilter {
+    public static final AnonymousUser USER = new AnonymousUser();
+    private SecurityContext securityContext;
+
+    public AnonymousAuthFilter() {
+        securityContext =
+                new SecurityContext() {
+
+                    @Override
+                    public Principal getUserPrincipal() {
+                        return AnonymousAuthFilter.USER;
+                    }
+
+                    @Override
+                    public boolean isUserInRole(String s) {
+                        return true;
+                    }
+
+                    @Override
+                    public boolean isSecure() {
+                        return false;
+                    }
+
+                    @Override
+                    public String getAuthenticationScheme() {
+                        return "Anonymous";
+                    }
+                };
+    }
+
+    @Override
+    public void filter(ContainerRequestContext containerRequestContext) throws IOException {
+        containerRequestContext.setSecurityContext(securityContext);
+    }
+}
diff --git a/...niversal/src/main/java/com/pinterest/teletraan/universal/security/AuditLoggingFilter.java b/...niversal/src/main/java/com/pinterest/teletraan/universal/security/AuditLoggingFilter.java
@@ -0,0 +1,62 @@
+/**
+ * Copyright (c) 2024 Pinterest, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.pinterest.teletraan.universal.security;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.Map;
+import javax.annotation.Priority;
+import javax.ws.rs.container.ContainerRequestContext;
+import javax.ws.rs.container.ContainerResponseContext;
+import javax.ws.rs.container.ContainerResponseFilter;
+import lombok.extern.slf4j.Slf4j;
+
+/**
+ * A filter for logging audit information for each request. Should be configured differently than
+ * regular application logs.
+ */
+@Priority(Integer.MIN_VALUE)
+@Slf4j
+public class AuditLoggingFilter implements ContainerResponseFilter {
+    private static final String PRINCIPAL = "principal";
+    private static final String RESOURCE = "resource";
+    private static final String METHOD = "method";
+    private static final String STATUS = "status";
+
+    @Override
+    public void filter(
+            ContainerRequestContext requestContext, ContainerResponseContext responseContext)
+            throws IOException {
+        if (requestContext.getSecurityContext() == null
+                || requestContext.getSecurityContext().getUserPrincipal() == null) {
+            return;
+        }
+        Map<String, Object> attributes = new HashMap<>();
+        try {
+            attributes.put(
+                    PRINCIPAL, requestContext.getSecurityContext().getUserPrincipal().getName());
+            attributes.put(RESOURCE, requestContext.getUriInfo().getRequestUri().toString());
+            attributes.put(METHOD, requestContext.getMethod());
+            attributes.put(STATUS, responseContext.getStatus());
+
+            String json = new ObjectMapper().writeValueAsString(attributes);
+            log.info(json);
+        } catch (Exception ex) {
+            log.error("Failed to generate audit log for: {}", attributes, ex);
+        }
+    }
+}