-
Notifications
You must be signed in to change notification settings - Fork 4.2k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add required roles to API endpoints (#21664)
* Restore auth poc * Formatting * Custom Netty pipeline handler to aid authorization * Fix handler name * Cleanup * Remove cloud code * Disable API authorization in OSS * Remove unused dependency * Add newline * Add required roles
- Loading branch information
1 parent
d77514d
commit b786a18
Showing
26 changed files
with
417 additions
and
15 deletions.
There are no files selected for viewing
92 changes: 92 additions & 0 deletions
92
airbyte-commons/src/main/java/io/airbyte/commons/auth/AuthRole.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,92 @@ | ||
| /* | ||
| * Copyright (c) 2022 Airbyte, Inc., all rights reserved. | ||
| */ | ||
|
|
||
| package io.airbyte.commons.auth; | ||
|
|
||
| import java.util.Comparator; | ||
| import java.util.HashSet; | ||
| import java.util.LinkedHashSet; | ||
| import java.util.Set; | ||
| import java.util.stream.Collectors; | ||
| import java.util.stream.Stream; | ||
|
|
||
| /** | ||
| * This enum describes the standard auth levels for a given resource. It currently is only used for | ||
| * 2 resources Workspace and Instance (i.e. the entire instance or deployment of Airbyte). | ||
| * | ||
| * In the context of a workspace, there is a 1:1 mapping. | ||
| * <ul> | ||
| * <li>OWNER => WORKSPACE OWNER. Superadmin of the instance (typically the person that created it), | ||
| * has all the rights on the instance including deleting it.</li> | ||
| * <li>ADMIN => WORKSPACE ADMIN. Admin of the instance, can invite other users, update their | ||
| * permission and change settings of the instance.</li> | ||
| * <li>EDITOR => WORKSPACE EDITOR</li> | ||
| * <li>READER => WORKSPACE READER</li> | ||
| * <li>AUTHENTICATED_USER => INVALID</li> | ||
| * <li>NONE => NONE (does not have access to this resource)</li> | ||
| * </ul> | ||
| * In the context of the instance, there are currently only 3 levels. | ||
| * <ul> | ||
| * <li>ADMIN => INSTANCE ADMIN</li> | ||
| * <li>AUTHENTICATED_USER => Denotes that all that is required for access is an active Airbyte | ||
| * account. This should only ever be used when the associated resource is an INSTANCE. All other | ||
| * uses are invalid. It is a special value in the enum to handle a case that only applies to | ||
| * instances and no other resources.</li> | ||
| * <li>NONE => NONE (not applicable. anyone being checked in our auth stack already has an account | ||
| * so by definition they have some access to the instance.)</li> | ||
| * </ul> | ||
| */ | ||
| public enum AuthRole { | ||
|
|
||
| OWNER(500, AuthRoleConstants.OWNER), | ||
| ADMIN(400, AuthRoleConstants.ADMIN), | ||
| EDITOR(300, AuthRoleConstants.EDITOR), | ||
| READER(200, AuthRoleConstants.READER), | ||
| AUTHENTICATED_USER(100, AuthRoleConstants.AUTHENTICATED_USER), // ONLY USE WITH INSTANCE RESOURCE! | ||
| NONE(0, AuthRoleConstants.NONE); | ||
|
|
||
| private final int authority; | ||
| private final String label; | ||
|
|
||
| AuthRole(final int authority, final String label) { | ||
| this.authority = authority; | ||
| this.label = label; | ||
| } | ||
|
|
||
| public int getAuthority() { | ||
| return authority; | ||
| } | ||
|
|
||
| public String getLabel() { | ||
| return label; | ||
| } | ||
|
|
||
| /** | ||
| * Builds the set of roles based on the provided {@link AuthRole} value. | ||
| * <p> | ||
| * The generated set of auth roles contains the provided {@link AuthRole} (if not {@code null}) and | ||
| * any other authentication roles with a lesser {@link #getAuthority()} value. | ||
| * </p> | ||
| * | ||
| * @param authRole An {@link AuthRole} (may be {@code null}). | ||
| * @return The set of {@link AuthRole}s based on the provided {@link AuthRole}. | ||
| */ | ||
| public static Set<AuthRole> buildAuthRolesSet(final AuthRole authRole) { | ||
| final Set<AuthRole> authRoles = new HashSet<>(); | ||
|
|
||
| if (authRole != null) { | ||
| authRoles.add(authRole); | ||
| authRoles.addAll(Stream.of(values()) | ||
| .filter(role -> !NONE.equals(role)) | ||
| .filter(role -> role.getAuthority() < authRole.getAuthority()) | ||
| .collect(Collectors.toSet())); | ||
| } | ||
|
|
||
| // Sort final set by descending authority order | ||
| return authRoles.stream() | ||
| .sorted(Comparator.comparingInt(AuthRole::getAuthority)) | ||
| .collect(Collectors.toCollection(LinkedHashSet::new)); | ||
| } | ||
|
|
||
| } |
21 changes: 21 additions & 0 deletions
21
airbyte-commons/src/main/java/io/airbyte/commons/auth/AuthRoleConstants.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| /* | ||
| * Copyright (c) 2022 Airbyte, Inc., all rights reserved. | ||
| */ | ||
|
|
||
| package io.airbyte.commons.auth; | ||
|
|
||
| /** | ||
| * Collection of constants that defines authorization roles. | ||
| */ | ||
| public final class AuthRoleConstants { | ||
|
|
||
| public static final String ADMIN = "ADMIN"; | ||
| public static final String AUTHENTICATED_USER = "AUTHENTICATED_USER"; | ||
| public static final String EDITOR = "EDITOR"; | ||
| public static final String OWNER = "OWNER"; | ||
| public static final String NONE = "NONE"; | ||
| public static final String READER = "READER"; | ||
|
|
||
| private AuthRoleConstants() {} | ||
|
|
||
| } |
47 changes: 47 additions & 0 deletions
47
airbyte-commons/src/test/java/io/airbyte/commons/auth/AuthRoleTest.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,47 @@ | ||
| /* | ||
| * Copyright (c) 2022 Airbyte, Inc., all rights reserved. | ||
| */ | ||
|
|
||
| package io.airbyte.commons.auth; | ||
|
|
||
| import static org.junit.jupiter.api.Assertions.assertEquals; | ||
|
|
||
| import java.util.Set; | ||
| import org.junit.jupiter.api.Test; | ||
|
|
||
| /** | ||
| * Test suite for the {@link AuthRole} enumeration. | ||
| */ | ||
| class AuthRoleTest { | ||
|
|
||
| @Test | ||
| void testBuildingAuthRoleSet() { | ||
| final Set<AuthRole> ownerResult = AuthRole.buildAuthRolesSet(AuthRole.OWNER); | ||
| assertEquals(5, ownerResult.size()); | ||
| assertEquals(Set.of(AuthRole.OWNER, AuthRole.ADMIN, AuthRole.EDITOR, AuthRole.READER, AuthRole.AUTHENTICATED_USER), ownerResult); | ||
|
|
||
| final Set<AuthRole> adminResult = AuthRole.buildAuthRolesSet(AuthRole.ADMIN); | ||
| assertEquals(4, adminResult.size()); | ||
| assertEquals(Set.of(AuthRole.ADMIN, AuthRole.EDITOR, AuthRole.READER, AuthRole.AUTHENTICATED_USER), adminResult); | ||
|
|
||
| final Set<AuthRole> editorResult = AuthRole.buildAuthRolesSet(AuthRole.EDITOR); | ||
| assertEquals(3, editorResult.size()); | ||
| assertEquals(Set.of(AuthRole.EDITOR, AuthRole.READER, AuthRole.AUTHENTICATED_USER), editorResult); | ||
|
|
||
| final Set<AuthRole> readerResult = AuthRole.buildAuthRolesSet(AuthRole.READER); | ||
| assertEquals(2, readerResult.size()); | ||
| assertEquals(Set.of(AuthRole.READER, AuthRole.AUTHENTICATED_USER), readerResult); | ||
|
|
||
| final Set<AuthRole> authenticatedUserResult = AuthRole.buildAuthRolesSet(AuthRole.AUTHENTICATED_USER); | ||
| assertEquals(1, authenticatedUserResult.size()); | ||
| assertEquals(Set.of(AuthRole.AUTHENTICATED_USER), authenticatedUserResult); | ||
|
|
||
| final Set<AuthRole> noneResult = AuthRole.buildAuthRolesSet(AuthRole.NONE); | ||
| assertEquals(1, noneResult.size()); | ||
| assertEquals(Set.of(AuthRole.NONE), noneResult); | ||
|
|
||
| final Set<AuthRole> nullResult = AuthRole.buildAuthRolesSet(null); | ||
| assertEquals(0, nullResult.size()); | ||
| } | ||
|
|
||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.