Issue 145: Use new Auth strings syntax (#150)

Change auth resource strings to use domain and resource identifiers.

Signed-off-by: Shivesh Ranjan <[email protected]>

Author: shiveshr

charts/schema-registry/templates/configmap.yaml

@@ -32,7 +32,9 @@ data:
   "DISABLE_BASIC_AUTH": "{{ .Values.authentication.disableBasicAuthentication }}"
   {{- end }}
   {{- if .Values.authentication.authorizationResourceQualifier }}
-  "AUTHORIZATION_RESOURCE_QUALIFIER": "{{ .Values.authentication.authorizationResourceQualifier }}"
+  "AUTHORIZATION_DOMAIN_RESOURCE_IDENTIFIER": "{{ .Values.authentication.authResourceDomain }}"
+  "AUTHORIZATION_NAMESPACE_RESOURCE_IDENTIFIER": "{{ .Values.authentication.authResourceNamespace }}"
+  "AUTHORIZATION_GROUP_RESOURCE_IDENTIFIER": "{{ .Values.authentication.authorizationResourceGroup }}"
   {{- end }}
   {{- if .Values.tls.enabled }}
   "TLS_CERT_FILE": "/etc/secret-volume/{{ .Values.tls.certFile }}"

charts/schema-registry/values.yaml

@@ -67,8 +67,10 @@ authentication:
   ## authentication is enabled
   passwordAuthSecret:
   userPasswordFile:
-  authorizationResourceQualifier: ""
   disableBasicAuthentication: false
+  authResourceDomain: "prn"
+  authNamespaceResourceIdentifier: "namespace"
+  authGroupResourceIdentifier: "group"
 
 tls:
   enabled: false

server/src/conf/schema-registry.config.properties

@@ -34,5 +34,7 @@ schemaRegistry.security.tls.server.privateKey.pwd.location=${TLS_KEY_PASSWORD_FI
 ## Authorization configuration
 schemaRegistry.security.auth.enable=${AUTHORIZATION_ENABLED}
 schemaRegistry.security.pwdAuthHandler.accountsDb.location=${USER_PASSWORD_FILE}
-schemaRegistry.security.auth.resource.qualifier=${AUTHORIZATION_RESOURCE_QUALIFIER}
+schemaRegistry.security.auth.resource.identifier.domain=${AUTHORIZATION_DOMAIN_RESOURCE_IDENTIFIER}
+schemaRegistry.security.auth.resource.identifier.namespace=${AUTHORIZATION_NAMESPACE_RESOURCE_IDENTIFIER}
+schemaRegistry.security.auth.resource.identifier.group=${AUTHORIZATION_GROUP_RESOURCE_IDENTIFIER}
 schemaRegistry.security.auth.method.basic.disable=${DISABLE_BASIC_AUTH}

server/src/main/java/io/pravega/schemaregistry/server/rest/auth/AuthHandlerManager.java

@@ -29,7 +29,6 @@
 @Slf4j
 public class AuthHandlerManager {
     private final ServiceConfig serverConfig;
-
     private final ConcurrentHashMap<String, AuthHandler> handlerMap;
 
     public AuthHandlerManager(ServiceConfig serverConfig) {
@@ -43,7 +42,7 @@ private void loadHandlers() {
             if (serverConfig.isAuthEnabled()) {
                 ServiceLoader<AuthHandler> loader = ServiceLoader.load(AuthHandler.class);
                 for (AuthHandler handler : loader) {
-                    if (handler instanceof PasswordAuthHandler) {
+                    if (handler instanceof PasswordAuthHandler && !(handler instanceof BasicAuthHandler)) {
                         continue;
                     }
                     try {

server/src/main/java/io/pravega/schemaregistry/server/rest/auth/BasicAuthHandler.java

@@ -9,210 +9,23 @@
  */
 package io.pravega.schemaregistry.server.rest.auth;
 
-import com.google.common.base.Charsets;
-import com.google.common.base.Preconditions;
-import com.google.common.base.Strings;
-import io.pravega.auth.AuthConstants;
-import io.pravega.auth.AuthException;
 import io.pravega.auth.AuthHandler;
-import io.pravega.auth.AuthenticationException;
 import io.pravega.auth.ServerConfig;
-import io.pravega.controller.server.security.auth.StrongPasswordProcessor;
-import io.pravega.controller.server.security.auth.UserPrincipal;
+import io.pravega.controller.server.rpc.grpc.impl.GRPCServerConfigImpl;
+import io.pravega.controller.server.security.auth.handler.impl.PasswordAuthHandler;
 import io.pravega.schemaregistry.server.rest.ServiceConfig;
-import lombok.Data;
+import io.pravega.schemaregistry.service.Config;
 import lombok.extern.slf4j.Slf4j;
 
-import java.io.BufferedReader;
-import java.io.FileReader;
-import java.io.IOException;
-import java.security.NoSuchAlgorithmException;
-import java.security.Principal;
-import java.security.spec.InvalidKeySpecException;
-import java.util.Arrays;
-import java.util.Base64;
-import java.util.List;
-import java.util.concurrent.CompletionException;
-import java.util.concurrent.ConcurrentHashMap;
-import java.util.stream.Collectors;
-
 @Slf4j
-public class BasicAuthHandler implements AuthHandler {
-
-    private final ConcurrentHashMap<String, PravegaACls> userMap;
-    private final StrongPasswordProcessor encryptor;
-
-    public BasicAuthHandler() {
-        userMap = new ConcurrentHashMap<>();
-        encryptor = StrongPasswordProcessor.builder().build();
-    }
-
-    private void loadPasswordFile(String userPasswordFile) {
-        log.debug("Loading {}", userPasswordFile);
-
-        try (FileReader reader = new FileReader(userPasswordFile);
-             BufferedReader lineReader = new BufferedReader(reader)) {
-            String line;
-            while (!Strings.isNullOrEmpty(line = lineReader.readLine())) {
-                if (line.startsWith("#")) {
-                    continue;
-                }
-                String[] userFields = line.split(":");
-                if (userFields.length >= 2) {
-                    String acls;
-                    if (userFields.length == 2) {
-                        acls = "";
-                    } else {
-                        acls = userFields[2];
-                    }
-                    userMap.put(userFields[0], new PravegaACls(userFields[1], getAcls(acls)));
-                }
-            }
-        } catch (IOException e) {
-            throw new CompletionException(e);
-        }
-    }
-
-    @Override
-    public String getHandlerName() {
-        return AuthConstants.BASIC;
-    }
-
-    @Override
-    public Principal authenticate(String token) throws AuthException {
-        String[] parts = parseToken(token);
-        String userName = parts[0];
-        char[] password = parts[1].toCharArray();
-
-        try {
-            if (userMap.containsKey(userName) && encryptor.checkPassword(password, userMap.get(userName).encryptedPassword)) {
-                return new UserPrincipal(userName);
-            }
-            throw new AuthenticationException("User authentication exception");
-        } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
-            log.warn("Exception during password authentication", e);
-            throw new AuthenticationException(e);
-        } finally {
-            Arrays.fill(password, '0'); // Zero out the password for security.
-        }
-    }
-
-    @Override
-    public Permissions authorize(String resource, Principal principal) {
-        String userName = principal.getName();
-
-        if (Strings.isNullOrEmpty(userName) || !userMap.containsKey(userName)) {
-            throw new CompletionException(new AuthenticationException(userName));
-        }
-        return authorizeForUser(userMap.get(userName), resource);
-    }
-
+public class BasicAuthHandler extends PasswordAuthHandler implements AuthHandler {
     @Override
     public void initialize(ServerConfig serverConfig) {
-        loadPasswordFile(((ServiceConfig) serverConfig).getUserPasswordFilePath());
+        super.initialize(GRPCServerConfigImpl
+                .builder().port(Config.SERVICE_PORT)
+                .userPasswordFile(((ServiceConfig) serverConfig).getUserPasswordFilePath()).build());
     }
+}
 
-    private static String[] parseToken(String token) {
-        String[] parts = new String(Base64.getDecoder().decode(token), Charsets.UTF_8).split(":", 2);
-        Preconditions.checkArgument(parts.length == 2, "Invalid authorization token");
-        return parts;
-    }
-
-    private Permissions authorizeForUser(PravegaACls pravegaACls, String resource) {
-        Permissions result = Permissions.NONE;
-
-        /*
-         *  `*` Means a wildcard.
-         *  If It is a direct match, return the ACLs.
-         *  If it is a partial match, the target has to end with a `/`
-         */
-        for (PravegaAcl acl : pravegaACls.acls) {
-            // Separating into different blocks, to make the code more understandable.
-            // It makes the code look a bit strange, but it is still simpler and easier to decipher than what it be
-            // if we combine the conditions.
-
-            if (acl.isResource(resource)) {
-                // Example: resource = "mygroup", acl-resource = "mygroup"
-
-                result = acl.permissions;
-                break;
-            }
-
-            if (acl.isResource("/*") && !resource.contains("/")) {
-                // Example: resource = "mygroup", acl-resource ="/*"
-                result = acl.permissions;
-                break;
-            }
-            
-            if (acl.resourceEndsWith("/") && acl.resourceStartsWith(resource)) {
-                result = acl.permissions;
-                break;
-            }
-
-            // Say, resource is mygroup/schemas. ACL specifies permission for mygroup/*.
-            // Auth should return the the ACL's permissions in that case.
-            if (resource.contains("/") && !resource.endsWith("/")) {
-                String[] values = resource.split("/");
-                String res = null;
-                for (String value : values) {
-                    res = res == null ? value : res + "/" + value;
-                    if (acl.isResource(res + "/*")) {
-                        result = acl.permissions;
-                        break;
-                    }
-                } 
-            }
-
-            if (acl.isResource("*") && acl.hasHigherPermissionsThan(result)) {
-                result = acl.permissions;
-                break;
-            }
-        }
-        return result;
-    }
-
-    private List<PravegaAcl> getAcls(String aclString) {
-        return Arrays.stream(aclString.split(";")).map(acl -> {
-            String[] splits = acl.split(",");
-            if (splits.length == 0) {
-                return null;
-            }
-            String resource = splits[0];
-            String aclVal = "READ";
-            if (splits.length >= 2) {
-                aclVal = splits[1];
-
-            }
-            return new PravegaAcl(resource,
-                    Permissions.valueOf(aclVal));
-        }).collect(Collectors.toList());
-    }
-
-    @Data
-    private static class PravegaACls {
-        private final String encryptedPassword;
-        private final List<PravegaAcl> acls;
-    }
-
-    @Data
-    private static class PravegaAcl {
-        private final String resourceRepresentation;
-        private final Permissions permissions;
-
-        boolean isResource(String resource) {
-            return resourceRepresentation.equals(resource);
-        }
-
-        boolean resourceEndsWith(String resource) {
-            return resourceRepresentation.endsWith(resource);
-        }
 
-        boolean resourceStartsWith(String resource) {
-            return resourceRepresentation.startsWith(resource);
-        }
 
-        boolean hasHigherPermissionsThan(Permissions input) {
-            return this.permissions.ordinal() > input.ordinal();
-        }
-    }
-}

server/src/main/java/io/pravega/schemaregistry/server/rest/resources/AuthResources.java

@@ -9,14 +9,13 @@
  */
 package io.pravega.schemaregistry.server.rest.resources;
 
-import com.google.common.base.Strings;
 import io.pravega.schemaregistry.service.Config;
 
 class AuthResources {
-    static final String DOMAIN = Strings.isNullOrEmpty(Config.AUTH_RESOURCE_QUALIFIER) ? "" : "_" + Config.AUTH_RESOURCE_QUALIFIER + "/";
+    static final String DOMAIN = Config.DOMAIN_RESOURCE_QUALIFIER + "::/";
     static final String DEFAULT_NAMESPACE = "";
-    static final String NAMESPACE_FORMAT = DOMAIN + "%s";
-    static final String NAMESPACE_GROUP_FORMAT = NAMESPACE_FORMAT + "/%s";
-    static final String NAMESPACE_GROUP_SCHEMA_FORMAT = NAMESPACE_GROUP_FORMAT + "/schemas";
-    static final String NAMESPACE_GROUP_CODEC_FORMAT = NAMESPACE_GROUP_FORMAT + "/codecs";
+    static final String NAMESPACE_FORMAT = DOMAIN + Config.NAMESPACE_RESOURCE_QUALIFIER + ":%s";
+    static final String NAMESPACE_GROUP_FORMAT = NAMESPACE_FORMAT + "/" + Config.GROUP_RESOURCE_QUALIFIER + ":%s";
+    static final String NAMESPACE_GROUP_SCHEMA_FORMAT = NAMESPACE_GROUP_FORMAT + "/schemas:*";
+    static final String NAMESPACE_GROUP_CODEC_FORMAT = NAMESPACE_GROUP_FORMAT + "/codecs:*";
 }

server/src/main/java/io/pravega/schemaregistry/service/Config.java

@@ -61,7 +61,9 @@ public final class Config {
     public static final String TLS_CERT_FILE;
 
     public static final boolean AUTH_ENABLED;
-    public static final String AUTH_RESOURCE_QUALIFIER;
+    public static final String DOMAIN_RESOURCE_QUALIFIER;
+    public static final String NAMESPACE_RESOURCE_QUALIFIER;
+    public static final String GROUP_RESOURCE_QUALIFIER;
     public static final String USER_PASSWORD_FILE;
     public static final boolean DISABLE_BASIC_AUTHENTICATION;
 
@@ -91,7 +93,9 @@ public final class Config {
 
     private static final Property<Boolean> PROPERTY_AUTH_ENABLED = Property.named("security.auth.enable", false);
     private static final Property<String> PROPERTY_AUTH_PASSWORD_FILE = Property.named("security.pwdAuthHandler.accountsDb.location", "");
-    private static final Property<String> PROPERTY_AUTH_RESOURCE_QUALIFIER = Property.named("security.auth.resource.qualifier", "");
+    private static final Property<String> PROPERTY_DOMAIN_RESOURCE_QUALIFIER = Property.named("security.auth.resource.identifier.domain", "prn");
+    private static final Property<String> PROPERTY_NAMESPACE_RESOURCE_QUALIFIER = Property.named("security.auth.resource.identifier.namespace", "namespace");
+    private static final Property<String> PROPERTY_GROUP_RESOURCE_QUALIFIER = Property.named("security.auth.resource.identifier.group", "group");
     private static final Property<Boolean> PROPERTY_DISABLE_BASIC_AUTHENTICATION = Property.named("security.auth.method.basic.disable", false);
 
     private static final String COMPONENT_CODE = "schemaRegistry";
@@ -124,7 +128,9 @@ public final class Config {
 
         AUTH_ENABLED = p.getBoolean(PROPERTY_AUTH_ENABLED);
         DISABLE_BASIC_AUTHENTICATION = p.getBoolean(PROPERTY_DISABLE_BASIC_AUTHENTICATION);
-        AUTH_RESOURCE_QUALIFIER = p.get(PROPERTY_AUTH_RESOURCE_QUALIFIER);
+        DOMAIN_RESOURCE_QUALIFIER = p.get(PROPERTY_DOMAIN_RESOURCE_QUALIFIER);
+        NAMESPACE_RESOURCE_QUALIFIER = p.get(PROPERTY_NAMESPACE_RESOURCE_QUALIFIER);
+        GROUP_RESOURCE_QUALIFIER = p.get(PROPERTY_GROUP_RESOURCE_QUALIFIER);
         USER_PASSWORD_FILE = p.get(PROPERTY_AUTH_PASSWORD_FILE);
 
         SERVICE_CONFIG = createServiceConfig();

server/src/test/java/io/pravega/schemaregistry/server/rest/resources/SchemaRegistryAuthTest.java

@@ -194,7 +194,7 @@ public void groups() throws ExecutionException, InterruptedException {
         assertEquals(list.getContinuationToken(), ContinuationToken.fromString("token").toString());
     }
 
-    @Test
+    @Test(timeout = 10000)
     public void groupSchemas() throws ExecutionException, InterruptedException {
         doAnswer(x -> CompletableFuture.completedFuture(true)).when(service).canRead(any(), any(), any());
         SchemaInfo schemaInfo = new SchemaInfo()
@@ -206,6 +206,7 @@ public void groupSchemas() throws ExecutionException, InterruptedException {
                         AuthHelper.getAuthorizationHeader("Basic", Base64.getEncoder().encodeToString((SYSTEM_ADMIN + ":" + PASSWORD).getBytes(Charsets.UTF_8))))
                                                      .async().post(Entity.entity(schemaInfo, MediaType.APPLICATION_JSON));
         Response response = future.get();
+        assertEquals(response.getStatus(), 200);
         assertTrue(response.readEntity(CanRead.class).isCompatible());
 
         future = target("v1/groups").path("mygroup").path("schemas/versions/canRead").request().header(HttpHeaders.AUTHORIZATION,
@@ -235,14 +236,14 @@ private File createAuthFile() {
 
             try (FileWriter writer = new FileWriter(authFile.getAbsolutePath())) {
                 String defaultPassword = passwordEncryptor.encryptPassword(PASSWORD);
-                writer.write(credentialsAndAclAsString(SYSTEM_ADMIN, defaultPassword, "*,READ_UPDATE;"));
-                writer.write(credentialsAndAclAsString(SYSTEM_READER, defaultPassword, "/*,READ"));
-                writer.write(credentialsAndAclAsString(GROUP1_ADMIN, defaultPassword, "/group1,READ_UPDATE"));
-                writer.write(credentialsAndAclAsString(GROUP1_USER, defaultPassword, "/group1,READ"));
-                writer.write(credentialsAndAclAsString(GROUP2_USER, defaultPassword, "/group2,READ"));
-                writer.write(credentialsAndAclAsString(GROUP_1_2_USER, defaultPassword, "/group1,READ;/group2,READ;/group11,READ;/group12,READ"));
-                writer.write(credentialsAndAclAsString(NAMESPACE_USER, defaultPassword, "namespace/group1,READ_UPDATE"));
-                writer.write(credentialsAndAclAsString(NAMESPACE_ADMIN, defaultPassword, "namespace/*,READ_UPDATE"));
+                writer.write(credentialsAndAclAsString(SYSTEM_ADMIN, defaultPassword, "prn::*,READ_UPDATE;"));
+                writer.write(credentialsAndAclAsString(SYSTEM_READER, defaultPassword, "prn::/namespace:*,READ"));
+                writer.write(credentialsAndAclAsString(GROUP1_ADMIN, defaultPassword, "prn::/namespace:/group:group1,READ_UPDATE"));
+                writer.write(credentialsAndAclAsString(GROUP1_USER, defaultPassword, "prn::/namespace:/group:group1,READ"));
+                writer.write(credentialsAndAclAsString(GROUP2_USER, defaultPassword, "prn::/namespace:/group:group2,READ"));
+                writer.write(credentialsAndAclAsString(GROUP_1_2_USER, defaultPassword, "prn::/namespace:/group:group1,READ;prn::/namespace:/group:group2,READ;prn::/namespace:/group:group11,READ;prn::/namespace:/group:group12,READ"));
+                writer.write(credentialsAndAclAsString(NAMESPACE_USER, defaultPassword, "prn::/namespace:namespace/group:group1,READ_UPDATE"));
+                writer.write(credentialsAndAclAsString(NAMESPACE_ADMIN, defaultPassword, "prn::/namespace:namespace/*,READ_UPDATE"));
             }
             return authFile;
         } catch (IOException | NoSuchAlgorithmException | InvalidKeySpecException e) {