From 594f2cd0ba9121f18b70a6f2f22a4e7436317bad Mon Sep 17 00:00:00 2001
From: Tyler Ouyang <tylercowen@me.com>
Date: Fri, 1 Mar 2024 16:14:17 -0800
Subject: [PATCH] Add support for composite AuthN and AuthZ filters

commit-id:eb5c1322
---
 deploy-service/teletraanservice/pom.xml       | 19 ++++++
 .../CompositeAuthenticationFactory.java       | 56 +++++++++++++++++
 .../config/CompositeAuthorizationFactory.java | 61 +++++++++++++++++++
 ...est.teletraan.config.AuthenticationFactory |  1 +
 ...rest.teletraan.config.AuthorizationFactory |  1 +
 5 files changed, 138 insertions(+)
 create mode 100644 deploy-service/teletraanservice/src/main/java/com/pinterest/teletraan/config/CompositeAuthenticationFactory.java
 create mode 100644 deploy-service/teletraanservice/src/main/java/com/pinterest/teletraan/config/CompositeAuthorizationFactory.java

diff --git a/deploy-service/teletraanservice/pom.xml b/deploy-service/teletraanservice/pom.xml
index 577ab5072d..5581ef72f4 100644
--- a/deploy-service/teletraanservice/pom.xml
+++ b/deploy-service/teletraanservice/pom.xml
@@ -173,5 +173,24 @@
                 </plugins>
             </build>
         </profile>
+
+        <profile>
+            <!-- If you are outside Pinterest, use this profile instead -->
+            <!-- i.e. mvn clean package -P-pinterest-dependenies,exclude-pinterest-only-classes -->
+            <id>exclude-pinterest-only-classes</id>
+            <build>
+              <plugins>
+                <plugin>
+                  <groupId>org.apache.maven.plugins</groupId>
+                  <artifactId>maven-compiler-plugin</artifactId>
+                  <configuration>
+                    <excludes>
+                      <exclude>com/pinterest/teletraan/config/CompositeAuthorizationFactory.java</exclude>
+                    </excludes>
+                  </configuration>
+                </plugin>
+              </plugins>
+            </build>
+          </profile>
     </profiles>
 </project>
\ No newline at end of file
diff --git a/deploy-service/teletraanservice/src/main/java/com/pinterest/teletraan/config/CompositeAuthenticationFactory.java b/deploy-service/teletraanservice/src/main/java/com/pinterest/teletraan/config/CompositeAuthenticationFactory.java
new file mode 100644
index 0000000000..edbad8a6c7
--- /dev/null
+++ b/deploy-service/teletraanservice/src/main/java/com/pinterest/teletraan/config/CompositeAuthenticationFactory.java
@@ -0,0 +1,56 @@
+/**
+ * Copyright (c) 2024 Pinterest, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.pinterest.teletraan.config;
+
+import com.codahale.metrics.MetricRegistry;
+import com.codahale.metrics.SharedMetricRegistries;
+import com.fasterxml.jackson.annotation.JsonTypeName;
+import com.github.benmanes.caffeine.cache.Caffeine;
+import com.pinterest.teletraan.TeletraanServiceContext;
+import com.pinterest.teletraan.universal.security.EnvoyAuthFilter;
+import com.pinterest.teletraan.universal.security.EnvoyAuthenticator;
+import com.pinterest.teletraan.universal.security.bean.EnvoyCredentials;
+import com.pinterest.teletraan.universal.security.bean.TeletraanPrincipal;
+import io.dropwizard.auth.AuthFilter;
+import io.dropwizard.auth.CachingAuthenticator;
+import io.dropwizard.auth.chained.ChainedAuthFilter;
+import java.util.Arrays;
+import java.util.List;
+import javax.ws.rs.container.ContainerRequestFilter;
+
+@JsonTypeName("composite")
+public class CompositeAuthenticationFactory extends TokenAuthenticationFactory {
+    @SuppressWarnings({"rawtypes", "unchecked"})
+    @Override
+    public ContainerRequestFilter create(TeletraanServiceContext context) throws Exception {
+        List<AuthFilter> tokenFilters = createAuthFilters(context);
+        MetricRegistry registry = SharedMetricRegistries.getDefault();
+        Caffeine<Object, Object> cacheBuilder = Caffeine.from(getTokenCacheSpec());
+
+        CachingAuthenticator<EnvoyCredentials, TeletraanPrincipal> cachingEnvoyAuthenticator =
+                new CachingAuthenticator<>(registry, new EnvoyAuthenticator(), cacheBuilder);
+        AuthFilter<EnvoyCredentials, TeletraanPrincipal> envoyAuthFilter =
+                new EnvoyAuthFilter.Builder<TeletraanPrincipal>()
+                        .setAuthenticator(cachingEnvoyAuthenticator)
+                        .setAuthorizer(context.getAuthorizationFactory().create(context))
+                        .buildAuthFilter();
+
+        List<AuthFilter> filters = Arrays.asList(envoyAuthFilter);
+        tokenFilters.add(envoyAuthFilter);
+
+        return new ChainedAuthFilter(filters);
+    }
+}
diff --git a/deploy-service/teletraanservice/src/main/java/com/pinterest/teletraan/config/CompositeAuthorizationFactory.java b/deploy-service/teletraanservice/src/main/java/com/pinterest/teletraan/config/CompositeAuthorizationFactory.java
new file mode 100644
index 0000000000..f73411ed9c
--- /dev/null
+++ b/deploy-service/teletraanservice/src/main/java/com/pinterest/teletraan/config/CompositeAuthorizationFactory.java
@@ -0,0 +1,61 @@
+/**
+ * Copyright (c) 2024 Pinterest, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.pinterest.teletraan.config;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.annotation.JsonTypeName;
+import com.pinterest.teletraan.TeletraanServiceContext;
+import com.pinterest.teletraan.security.ScriptTokenRoleAuthorizer;
+import com.pinterest.teletraan.security.UserRoleAuthorizer;
+import com.pinterest.teletraan.universal.security.BasePastisAuthorizer;
+import com.pinterest.teletraan.universal.security.bean.ServicePrincipal;
+import com.pinterest.teletraan.universal.security.bean.TeletraanPrincipal;
+import com.pinterest.teletraan.universal.security.bean.UserPrincipal;
+import io.dropwizard.auth.Authorizer;
+
+@JsonTypeName("composite")
+public class CompositeAuthorizationFactory implements AuthorizationFactory {
+    private static final String DEFAULT_PASTIS_SERVICE_NAME = "teletraan_dev";
+
+    @JsonProperty
+    private String pastisServiceName = DEFAULT_PASTIS_SERVICE_NAME;
+
+    public void setPastisServiceName(String pastisServiceName) {
+        this.pastisServiceName = pastisServiceName;
+    }
+
+    public String getPastisServiceName() {
+        return pastisServiceName;
+    }
+
+    @Override
+    public <P extends TeletraanPrincipal> Authorizer<P> create(TeletraanServiceContext context)
+            throws Exception {
+        return (Authorizer<P>) BasePastisAuthorizer.builder().factory(context.getAuthZResourceExtractorFactory())
+                .serviceName(pastisServiceName).build();
+    }
+
+    @Override
+    public <P extends TeletraanPrincipal> Authorizer<? extends TeletraanPrincipal> create(
+            TeletraanServiceContext context, Class<P> principalClass) throws Exception {
+        if (principalClass.equals(ServicePrincipal.class)) {
+            return new ScriptTokenRoleAuthorizer(context.getAuthZResourceExtractorFactory());
+        } else if (principalClass.equals(UserPrincipal.class)) {
+            return new UserRoleAuthorizer(context, context.getAuthZResourceExtractorFactory());
+        }
+        return create(context);
+    }
+}
diff --git a/deploy-service/teletraanservice/src/main/resources/META-INF/services/com.pinterest.teletraan.config.AuthenticationFactory b/deploy-service/teletraanservice/src/main/resources/META-INF/services/com.pinterest.teletraan.config.AuthenticationFactory
index 4ae09aedf4..42eb2dfca8 100644
--- a/deploy-service/teletraanservice/src/main/resources/META-INF/services/com.pinterest.teletraan.config.AuthenticationFactory
+++ b/deploy-service/teletraanservice/src/main/resources/META-INF/services/com.pinterest.teletraan.config.AuthenticationFactory
@@ -1,2 +1,3 @@
 com.pinterest.teletraan.config.AnonymousAuthenticationFactory
 com.pinterest.teletraan.config.TokenAuthenticationFactory
+com.pinterest.teletraan.config.CompositeAuthenticationFactory
diff --git a/deploy-service/teletraanservice/src/main/resources/META-INF/services/com.pinterest.teletraan.config.AuthorizationFactory b/deploy-service/teletraanservice/src/main/resources/META-INF/services/com.pinterest.teletraan.config.AuthorizationFactory
index d427e0ddda..647c8ba8f8 100644
--- a/deploy-service/teletraanservice/src/main/resources/META-INF/services/com.pinterest.teletraan.config.AuthorizationFactory
+++ b/deploy-service/teletraanservice/src/main/resources/META-INF/services/com.pinterest.teletraan.config.AuthorizationFactory
@@ -1,2 +1,3 @@
 com.pinterest.teletraan.config.OpenAuthorizationFactory
 com.pinterest.teletraan.config.TokenAuthorizationFactory
+com.pinterest.teletraan.config.CompositeAuthorizationFactory