Add a configuration based authorizer

Author: zacw7

http-server/src/main/java/com/facebook/airlift/http/server/ConfigurationBasedAuthorizer.java

@@ -0,0 +1,79 @@
+/*
+ * Copyright 2010 Proofpoint, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.facebook.airlift.http.server;
+
+import com.google.common.annotations.VisibleForTesting;
+import com.google.inject.Inject;
+
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.security.Principal;
+import java.util.Map;
+import java.util.Properties;
+import java.util.Set;
+import java.util.regex.Pattern;
+
+import static com.facebook.airlift.http.server.AuthorizationResult.failure;
+import static com.facebook.airlift.http.server.AuthorizationResult.success;
+import static com.google.common.collect.ImmutableMap.toImmutableMap;
+import static com.google.common.collect.Maps.fromProperties;
+import static java.lang.String.format;
+import static java.util.Objects.requireNonNull;
+
+public class ConfigurationBasedAuthorizer
+        implements Authorizer
+{
+    private final Map<String, Pattern> roleRegexMap;
+
+    @Inject
+    public ConfigurationBasedAuthorizer(ConfigurationBasedAuthorizerConfig config)
+            throws IOException
+    {
+        this(config.getRoleMapFilePath());
+    }
+
+    @VisibleForTesting
+    public ConfigurationBasedAuthorizer(String roleMapFilePath)
+            throws IOException
+    {
+        requireNonNull(roleMapFilePath, "roleMapFilePath is null");
+        Properties properties = new Properties();
+        try (InputStream inputStream = new FileInputStream(roleMapFilePath)) {
+            properties.load(inputStream);
+        }
+        roleRegexMap = fromProperties(properties)
+                .entrySet()
+                .stream()
+                .collect(toImmutableMap(Map.Entry::getKey, e -> Pattern.compile(e.getValue())));
+    }
+
+    @Override
+    public AuthorizationResult authorize(Principal principal, Set<String> allowedRoles)
+    {
+        for (String role : allowedRoles) {
+            if (roleRegexMap.containsKey(role) && isPrincipalAuthorized(principal, roleRegexMap.get(role))) {
+                return success();
+            }
+        }
+        return failure(format("%s is not a member of the allowed roles: %s", principal.getName(), allowedRoles));
+    }
+
+    private boolean isPrincipalAuthorized(Principal principal, Pattern identityRegex)
+    {
+        return identityRegex.matcher(principal.getName()).matches();
+    }
+}

http-server/src/main/java/com/facebook/airlift/http/server/ConfigurationBasedAuthorizerConfig.java

@@ -0,0 +1,38 @@
+/*
+ * Copyright 2010 Proofpoint, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.facebook.airlift.http.server;
+
+import com.facebook.airlift.configuration.Config;
+
+import javax.validation.constraints.NotNull;
+
+public class ConfigurationBasedAuthorizerConfig
+{
+    private String roleMapFilePath;
+
+    @NotNull
+    public String getRoleMapFilePath()
+    {
+        return roleMapFilePath;
+    }
+
+    @Config("configuration-based-authorizer.role-regex-map.file-path")
+    public ConfigurationBasedAuthorizerConfig setRoleMapFilePath(String roleMapFilePath)
+    {
+        this.roleMapFilePath = roleMapFilePath;
+        return this;
+    }
+}

http-server/src/main/java/com/facebook/airlift/http/server/ConfigurationBasedAuthorizerModule.java

@@ -0,0 +1,32 @@
+/*
+ * Copyright 2010 Proofpoint, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.facebook.airlift.http.server;
+
+import com.google.inject.Binder;
+import com.google.inject.Module;
+
+import static com.facebook.airlift.configuration.ConfigBinder.configBinder;
+
+public class ConfigurationBasedAuthorizerModule
+        implements Module
+{
+    @Override
+    public void configure(Binder binder)
+    {
+        binder.bind(Authorizer.class).to(ConfigurationBasedAuthorizer.class);
+        configBinder(binder).bindConfig(ConfigurationBasedAuthorizerConfig.class);
+    }
+}

http-server/src/main/java/com/facebook/airlift/http/server/testing/TestingHttpServerModule.java

@@ -88,6 +88,5 @@ public void configure(Binder binder)
     List<Authenticator> getAuthenticatorList(Set<Authenticator> authenticators)
     {
         return ImmutableList.copyOf(authenticators);
-        newOptionalBinder(binder, Authorizer.class);
     }
 }

http-server/src/test/java/com/facebook/airlift/http/server/TestConfigurationBasedAuthorizer.java

@@ -0,0 +1,41 @@
+/*
+ * Copyright 2010 Proofpoint, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.facebook.airlift.http.server;
+
+import com.google.common.collect.ImmutableSet;
+import org.testng.annotations.Test;
+
+import java.io.IOException;
+
+import static org.testng.Assert.assertFalse;
+import static org.testng.Assert.assertTrue;
+
+public class TestConfigurationBasedAuthorizer
+{
+    @Test
+    public void testAuthorize()
+            throws IOException
+    {
+        Authorizer authorizer = new ConfigurationBasedAuthorizer("src/test/resources/roles.properties");
+        assertTrue(authorizer.authorize(() -> "tom", ImmutableSet.of("user")).isAllowed());
+        assertTrue(authorizer.authorize(() -> "jerry", ImmutableSet.of("user")).isAllowed());
+        assertFalse(authorizer.authorize(() -> "jacob", ImmutableSet.of("user")).isAllowed());
+        assertTrue(authorizer.authorize(() -> "jacob", ImmutableSet.of("admin")).isAllowed());
+        assertFalse(authorizer.authorize(() -> "foo.bar", ImmutableSet.of("service")).isAllowed());
+        assertTrue(authorizer.authorize(() -> "gateway.airlift", ImmutableSet.of("service")).isAllowed());
+        assertTrue(authorizer.authorize(() -> "logger.airlift", ImmutableSet.of("service")).isAllowed());
+    }
+}

http-server/src/test/java/com/facebook/airlift/http/server/TestConfigurationBasedAuthorizerConfig.java

@@ -0,0 +1,48 @@
+/*
+ * Copyright 2010 Proofpoint, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.facebook.airlift.http.server;
+
+import com.facebook.airlift.configuration.testing.ConfigAssertions;
+import com.google.common.collect.ImmutableMap;
+import org.testng.annotations.Test;
+
+import java.util.Map;
+
+import static com.facebook.airlift.configuration.testing.ConfigAssertions.assertFullMapping;
+import static com.facebook.airlift.configuration.testing.ConfigAssertions.assertRecordedDefaults;
+
+public class TestConfigurationBasedAuthorizerConfig
+{
+    @Test
+    public void testDefaults()
+    {
+        assertRecordedDefaults(ConfigAssertions.recordDefaults(ConfigurationBasedAuthorizerConfig.class)
+                .setRoleMapFilePath(null));
+    }
+
+    @Test
+    public void testExplicitPropertyMappings()
+    {
+        Map<String, String> properties = new ImmutableMap.Builder<String, String>()
+                .put("configuration-based-authorizer.role-regex-map.file-path", "roles.properties")
+                .build();
+
+        ConfigurationBasedAuthorizerConfig expected = new ConfigurationBasedAuthorizerConfig()
+                .setRoleMapFilePath("roles.properties");
+
+        assertFullMapping(properties, expected);
+    }
+}

http-server/src/test/resources/roles.properties

@@ -0,0 +1,3 @@
+user=tom|jerry
+admin=jacob
+service=([^\\.]*)\\.airlift